From c2366b85b3e1692ed09bb142db148276f7e0e601 Mon Sep 17 00:00:00 2001 From: Brendan Heywood Date: Wed, 5 Feb 2020 23:14:39 +1100 Subject: [PATCH] MDL-67861 core: Added $CFG->reverseproxyignore IP subnet list If your server is behind multiple reverse proxies that append to the X-Forwarded-For header then you will need to specify a comma separated list of ip addresses or subnets of the reverse proxies to be ignored in order to find the users correct IP address. --- admin/settings/server.php | 1 + lang/en/admin.php | 2 ++ lib/moodlelib.php | 5 +++++ 3 files changed, 8 insertions(+) diff --git a/admin/settings/server.php b/admin/settings/server.php index 9e63f35fa070d..d846bc677a935 100644 --- a/admin/settings/server.php +++ b/admin/settings/server.php @@ -95,6 +95,7 @@ $temp->add(new admin_setting_configselect('getremoteaddrconf', new lang_string('getremoteaddrconf', 'admin'), new lang_string('configgetremoteaddrconf', 'admin'), GETREMOTEADDR_SKIP_HTTP_X_FORWARDED_FOR|GETREMOTEADDR_SKIP_HTTP_CLIENT_IP, $options)); +$temp->add(new admin_setting_configtext('reverseproxyignore', new lang_string('reverseproxyignore', 'admin'), new lang_string('configreverseproxyignore', 'admin'), '')); $temp->add(new admin_setting_heading('webproxy', new lang_string('webproxy', 'admin'), new lang_string('webproxyinfo', 'admin'))); $temp->add(new admin_setting_configtext('proxyhost', new lang_string('proxyhost', 'admin'), new lang_string('configproxyhost', 'admin'), '', PARAM_HOST)); diff --git a/lang/en/admin.php b/lang/en/admin.php index a2c3c11f95455..629745df1a51d 100644 --- a/lang/en/admin.php +++ b/lang/en/admin.php @@ -329,6 +329,7 @@ $string['configrequestedstudentsname'] = 'Word for students used in requested courses'; $string['configrequestedteachername'] = 'Word for teacher used in requested courses'; $string['configrequestedteachersname'] = 'Word for teachers used in requested courses'; +$string['configreverseproxyignore'] = 'If your server is behind multiple reverse proxies that append to the X-Forwarded-For header then you will need to specify a comma separated list of ip addresses or subnets of the reverse proxies to be ignored in order to find the users correct IP address.'; $string['configsectioninterface'] = 'Interface'; $string['configsectionmail'] = 'Mail'; $string['configsectionmaintenance'] = 'Maintenance'; @@ -1064,6 +1065,7 @@ $string['restorernewroleid_help'] = 'If the user does not already have the permission to manage the newly restored course, the user is automatically assigned this role and enrolled if necessary. Select "None" if you do not want restorers to be able to manage every restored course.'; $string['resultfilter'] = 'Filter by result'; $string['reverseproxy'] = 'Reverse proxy'; +$string['reverseproxyignore'] = 'Ignore reverse proxies'; $string['riskconfig'] = 'Users could change site configuration and behaviour'; $string['riskconfigshort'] = 'Configuration risk'; $string['riskdataloss'] = 'Users could destroy large amounts of content or information'; diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 65f5a285d5c11..cf2e9fdc2e406 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -9205,6 +9205,11 @@ function getremoteaddr($default='0.0.0.0') { if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $forwardedaddresses = explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']); + $forwardedaddresses = array_filter($forwardedaddresses, function($ip) { + global $CFG; + return !\core\ip_utils::is_ip_in_subnet_list($ip, $CFG->reverseproxyignore, ','); + }); + // Multiple proxies can append values to this header including an // untrusted original request header so we must only trust the last ip. $address = end($forwardedaddresses);