Shared IPs 127.0.0.1

JoyFreak

Well-known member
I have just spam cleaned a member when I noticed that they have shared IPs with me and a few others. Turns out it’s 127.0.0.1 which is localhost.

Is this a bug and how is this possible?

Edit: I did change hosts on Monday and I think it must have started from then. So how do I even troubleshoot this to determine the cause/fix?
 
Do you use, or have you recently used, Stackpath? I noticed this when I was using Stackpath as a CDN. As soon as I switched from Stackpath to Cloudflare the issue went away and I haven't noticed it since.
 
XF attempts to handle Cloudflare automatically. You or your host will need to configure your server to pass the correct IPs to the web server/PHP.
 
The value is pulled directly from PHP ($_SERVER['REMOTE_ADDR']), so if anything but the real IP is showing then it isn't being set correctly.
 
The value is pulled directly from PHP ($_SERVER['REMOTE_ADDR']), so if anything but the real IP is showing then it isn't being set correctly.
What isn't being set correctly? Can you be more specific where I need to look/configure? As this is a clean installation on Cloudways. So unless this is something out of the ordinary that Cloudways does.

If you can confirm what configuration is causing this issue, that will be more helpful.
 
Last edited:
If you can confirm what configuration is causing this issue, that will be more helpful.
I'm not able to confirm anything because it is dependent on your server environment and configuration. PHP has a standardized method of retrieving the user's IP address, and XF simply asks for that. If PHP is returning an incorrect value, it could be any number of things.

I can speculate, like others, that this is usually the result of using a reverse-proxy or load balancer of some sort. If that's the case, the above trick may work, but as @digitalpoint noted it's best to validate the origin IP is trusted before overwriting it. I'm not familiar with Cloudways, but seeing as it is a managed service I would ask them to sort it out.
 
FWIW, it's probably going to be safe to swap $_SERVER['REMOTE_ADDR'] with whatever header is carrying the user's true IP if $_SERVER['REMOTE_ADDR'] === '127.0.0.1'. If you can't trust localhost, you should probably address that first. :)
 
FWIW, it's probably going to be safe to swap $_SERVER['REMOTE_ADDR'] with whatever header is carrying the user's true IP if $_SERVER['REMOTE_ADDR'] === '127.0.0.1'. If you can't trust localhost, you should probably address that first. :)

Code:
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$_SERVER['REMOTE_ADDR'] === '127.0.0.1';
}

Like so?
 
Code:
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$_SERVER['REMOTE_ADDR'] === '127.0.0.1';
}

Like so?
No, I just mean something like this (only overwrite REMOTE_ADDR if it's currently set to a trusted source):

PHP:
if (!empty($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] === '127.0.0.1')
{
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
 
Hint for future use--to see what is available to PHP, open up PHP Info by clicking the PHP version number:

1704388685238.webp


Find the PHP Variables section, and you should see many $_SERVER variables listed. Four of those (on my server) are populated with IP addresses:

$_SERVER['HTTP_X_FORWARDED_FOR']
$_SERVER['HTTP_CF_CONNECTING_IP']
$_SERVER['SERVER_ADDR']
$_SERVER['REMOTE_ADDR']

If you find one of these with the localhost address, you can discover where it is coming from. And among those, you should also be able to find the IP address you are visiting the forum from. $_SERVER['SERVER_ADDR'] shows the private network address at my host, so that is not applicable to the problem here. And $_SERVER['HTTP_CF_CONNECTING_IP'] is Cloudflare specific.
 
Back
Top Bottom