diff options
| -rw-r--r-- | includes/bootstrap.inc | 11 | ||||
| -rw-r--r-- | modules/system/system.admin.inc | 14 | ||||
| -rw-r--r-- | sites/default/default.settings.php | 28 |
3 files changed, 36 insertions, 17 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 048efcd44..a8da6fcb2 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -1101,9 +1101,14 @@ function ip_address() { if (!isset($ip_address)) { $ip_address = $_SERVER['REMOTE_ADDR']; if (variable_get('reverse_proxy', 0) && array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { - // If there are several arguments, we need to check the most - // recently added one, ie the last one. - $ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])); + // If an array of known reverse proxy IPs is provided, then trust + // the XFF header if request really comes from one of them. + $reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array()); + if (!empty($reverse_proxy_addresses) && in_array($ip_address, $reverse_proxy_addresses, TRUE)) { + // If there are several arguments, we need to check the most + // recently added one, i.e. the last one. + $ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])); + } } } diff --git a/modules/system/system.admin.inc b/modules/system/system.admin.inc index ee89a2db4..07168c502 100644 --- a/modules/system/system.admin.inc +++ b/modules/system/system.admin.inc @@ -1249,20 +1249,6 @@ function system_performance_settings() { '#description' => t("This option can interfere with module development. It is recommended to only turn this on when your site is complete."), ); - $form['reverse_proxy'] = array( - '#type' => 'fieldset', - '#title' => t('Reverse proxy'), - '#description' => t('Proper extraction of client IP addresses when Drupal is behind a reverse proxy.'), - ); - - $form['reverse_proxy']['reverse_proxy'] = array( - '#type' => 'radios', - '#title' => t('Reverse proxy'), - '#default_value' => variable_get('reverse_proxy', FALSE), - '#options' => array(t('Disabled'), t('Enabled')), - '#description' => t('Enable this setting to determine the correct IP address of the remote client by examining information stored in the X-Forwarded-For headers. X-Forwarded-For headers are a standard mechanism for identifying client systems connecting through a reverse proxy server, such as Squid or Pound. Reverse proxy servers are often used to enhance the performance of heavily visited sites and may also provide other site caching, security or encryption benefits. If this Drupal installation operates behind a reverse proxy, this setting should be enabled so that correct IP address information is captured in Drupal\'s session management, logging, statistics and access management systems; if you are unsure about this setting, do not have a reverse proxy, or Drupal operates in a shared hosting environment, this setting should be set to disabled.'), - ); - $form['#submit'][] = 'drupal_clear_css_cache'; $form['#submit'][] = 'drupal_clear_js_cache'; diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php index 6cc0aa4cc..4fc53c365 100644 --- a/sites/default/default.settings.php +++ b/sites/default/default.settings.php @@ -172,6 +172,34 @@ ini_set('url_rewriter.tags', ''); # 'site_name' => 'My Drupal site', # 'theme_default' => 'minnelli', # 'anonymous' => 'Visitor', +/** + * reverse_proxy accepts a boolean value. + * + * Enable this setting to determine the correct IP address of the remote + * client by examining information stored in the X-Forwarded-For headers. + * X-Forwarded-For headers are a standard mechanism for identifying client + * systems connecting through a reverse proxy server, such as Squid or + * Pound. Reverse proxy servers are often used to enhance the performance + * of heavily visited sites and may also provide other site caching, + * security or encryption benefits. If this Drupal installation operates + * behind a reverse proxy, this setting should be enabled so that correct + * IP address information is captured in Drupal's session management, + * logging, statistics and access management systems; if you are unsure + * about this setting, do not have a reverse proxy, or Drupal operates in + * a shared hosting environment, this setting should be set to disabled. + */ +# 'reverse_proxy' => TRUE, +/** + * reverse_proxy accepts an array of IP addresses. + * + * Each element of this array is the IP address of any of your reverse + * proxies. Filling this array Drupal will trust the information stored + * in the X-Forwarded-For headers only if Remote IP address is one of + * these, that is the request reaches the web server from one of your + * reverse proxies. Otherwise, the client could directly connect to + * your web server spoofing the X-Forwarded-For headers. + */ +# 'reverse_proxy_addresses' => array('a.b.c.d', ...), # ); /** |