Lack of interest Show proper IP when behind reverse-proxy

[Rasmus Vind]

Many people use reverse-proxies these days. Common types are Cloudflare, Varnish, Nginx. Reverse-proxies work just fine with XenForo, however, when looking at the IP log, you will find that ALL registered IPs are by your proxy and not your user.
Because of this, I suggest that we add an option to the Options page allowing you to look at the 'X-Forwarded-For' header stead of REMOTE_ADDR.

Basically, this would add a bit more logic to XenForo_Helper_Ip where it looks at $request->getServer('
HTTP_X_FORWARDED_FOR') and $_SERVER['
HTTP_X_FORWARDED_FOR'] but only if the option was enabled.

I would like the option to exist because many people are not using proxies and if there is no proxy, people can fake their IP with this instead.

I could do this myself if XenForo_Helper_Ip was dynamically loaded like many other classes are. Sadly, it isn't .

 

[Paul B]

It may not be the HTTP_X_FORWARDED_FOR setting which needs to be changed though - it depends on server configuration.

It could be HTTP_CF_CONNECTING_IP, _SERVER['HTTP_X_REAL_IP'] or some other _SERVER value.

The best way to manage this is by editing the config,php file.

 

[James]

You can override this in config.php, see point 7 here:

https://xenforo.com/community/threads/frequently-asked-questions.5183/#post-282417

 

[Rasmus Vind]

Ah that is excellent. I am sorry for asking a frequently asked question.

 

[bolef2k]

Adding the code to the src/config.php finally resolved the issue:

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

 

[stromb0li]

Adding the code to the src/config.php finally resolved the issue:

Was this for 1.x? 2.2.13 handles this properly for me today behind a proxy. @Paul B I think this can marked as implemented?

 

[digitalpoint]

Adding the code to the src/config.php finally resolved the issue:

You really don't want to do that blindly (without validating the actual IP address the request is coming from). You should only do it if the request comes from known/trusted IPs.

Doing a swap like that allows anyone visiting your site to set the HTTP_X_FORWARDED_FOR header in their HTTP request to anything they want. So a user that is sufficiently technical enough to know how to set HTTP request headers could set the IP to anything they feel like.

 

[bolef2k]

I am running v2.2.13 and it works there by just pasting it into the config. After that the forum was also able toa ctually show how many visitors we have in the forum.