Re: [squid-users] HTTP Header

From: Matus UHLAR - fantomas <uhlar_at_fantomas.sk>
Date: Fri, 9 Jan 2009 10:54:28 +0100

> Mehmet �ELiK wrote:
> >>In your vBulletin includes/init.php file change "define('IPADDRESS',
> >>$_SERVER['REMOTE_ADDR']);" to "define('IPADDRESS',
> >>$_SERVER['HTTP_X_FORWARDED_FOR']);".
> >>
> >
> >No. I don't this. Because, this is not right method..

On 09.01.09 22:40, Amos Jeffries wrote:
> In my PHP-apps I do the equivalent of this:
>
> if ($trust_XFF && $_SERVER['HTTP_X_FORWARDED_FOR'])
> define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);
> else
> define('IPADDRESS', $_SERVER['REMOTE_ADDR']);

Is that working? Afaik, x-forwarded-for may contain more IP addresses, where
not all of them may be trusted. I think that proper validator should have
list of (un)trusted networks and match REMOTE_ADDR and HTTP_X_FORWARDED_FOR
until untrusted IP is found (the same waty as squid's follow_x_forwarded_for
directive does.

If anyone have such PHP, please paste a link. I think that could be used in
many other PHP applications (and I'd post that to horde people)

-- 
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.
Received on Fri Jan 09 2009 - 09:54:34 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 09 2009 - 12:00:02 MST