Add the list of trusted proxy server IPs to the back end settings (see …

…#5830)
contao · Sep 25, 2013 · 5c0468e · 5c0468e
1 parent 5bcb9e7
commit 5c0468e
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 8 deletions.
diff --git a/contao/dca/tl_settings.php b/contao/dca/tl_settings.php
@@ -28,7 +28,7 @@
 	'palettes' => array
 	(
 		'__selector__'                => array('useSMTP'),
-		'default'                     => '{title_legend},websiteTitle;{date_legend},dateFormat,timeFormat,datimFormat,timeZone;{global_legend:hide},adminEmail,characterSet,minifyMarkup,gzipScripts,disableCron,coreOnlyMode,debugMode,bypassCache;{backend_legend},resultsPerPage,maxResultsPerPage,fileSyncExclude,doNotCollapse,staticFiles,staticPlugins;{frontend_legend},urlSuffix,cacheMode,rewriteURL,useAutoItem,addLanguageToUrl,doNotRedirectEmpty,folderUrl,disableAlias;{privacy_legend:hide},privacyAnonymizeIp,privacyAnonymizeGA;{security_legend:hide},allowedTags,displayErrors,logErrors,disableRefererCheck,disableIpCheck;{files_legend:hide},allowedDownload,validImageTypes,editableFiles,templateFiles,maxImageWidth,jpgQuality,gdMaxImgWidth,gdMaxImgHeight;{uploads_legend:hide},uploadPath,uploadTypes,uploadFields,maxFileSize,imageWidth,imageHeight;{search_legend:hide},enableSearch,indexProtected;{smtp_legend:hide},useSMTP;{modules_legend},inactiveModules;{sections_legend:hide},customSections;{timeout_legend:hide},undoPeriod,versionPeriod,logPeriod,sessionTimeout,autologin,lockPeriod;{chmod_legend:hide},defaultUser,defaultGroup,defaultChmod;{update_legend:hide},liveUpdateBase'
+		'default'                     => '{title_legend},websiteTitle;{date_legend},dateFormat,timeFormat,datimFormat,timeZone;{global_legend:hide},adminEmail,characterSet,minifyMarkup,gzipScripts,disableCron,coreOnlyMode,debugMode,bypassCache;{backend_legend},resultsPerPage,maxResultsPerPage,fileSyncExclude,doNotCollapse,staticFiles,staticPlugins;{frontend_legend},urlSuffix,cacheMode,rewriteURL,useAutoItem,addLanguageToUrl,doNotRedirectEmpty,folderUrl,disableAlias;{proxy_legend:hide},proxyServerIps;{privacy_legend:hide},privacyAnonymizeIp,privacyAnonymizeGA;{security_legend:hide},allowedTags,displayErrors,logErrors,disableRefererCheck,disableIpCheck;{files_legend:hide},allowedDownload,validImageTypes,editableFiles,templateFiles,maxImageWidth,jpgQuality,gdMaxImgWidth,gdMaxImgHeight;{uploads_legend:hide},uploadPath,uploadTypes,uploadFields,maxFileSize,imageWidth,imageHeight;{search_legend:hide},enableSearch,indexProtected;{smtp_legend:hide},useSMTP;{modules_legend},inactiveModules;{sections_legend:hide},customSections;{timeout_legend:hide},undoPeriod,versionPeriod,logPeriod,sessionTimeout,autologin,lockPeriod;{chmod_legend:hide},defaultUser,defaultGroup,defaultChmod;{update_legend:hide},liveUpdateBase'
 	),
 
 	// Subpalettes
@@ -202,6 +202,12 @@
 			'inputType'               => 'checkbox',
 			'eval'                    => array('tl_class'=>'w50')
 		),
+		'proxyServerIps' => array
+		(
+			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['proxyServerIps'],
+			'inputType'               => 'text',
+			'eval'                    => array('tl_class'=>'long')
+		),
 		'cacheMode' => array
 		(
 			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['cacheMode'],

diff --git a/contao/languages/en/tl_settings.xlf b/contao/languages/en/tl_settings.xlf
@@ -110,6 +110,12 @@
       <trans-unit id="tl_settings.cacheMode.1">
         <source>Here you can select the cache mode.</source>
       </trans-unit>
+      <trans-unit id="tl_settings.proxyServerIps.0">
+        <source>Trusted proxy servers</source>
+      </trans-unit>
+      <trans-unit id="tl_settings.proxyServerIps.1">
+        <source>Here you can enter a comma separated list of trusted proxy server IP addresses.</source>
+      </trans-unit>
       <trans-unit id="tl_settings.privacyAnonymizeIp.0">
         <source>Anonymize IP addresses</source>
       </trans-unit>
@@ -419,6 +425,9 @@
       <trans-unit id="tl_settings.frontend_legend">
         <source>Front end configuration</source>
       </trans-unit>
+      <trans-unit id="tl_settings.proxy_legend">
+        <source>Proxy configuration</source>
+      </trans-unit>
       <trans-unit id="tl_settings.sections_legend">
         <source>Layout sections</source>
       </trans-unit>

diff --git a/contao/library/Contao/Environment.php b/contao/library/Contao/Environment.php
@@ -321,19 +321,37 @@ protected static function url()
 	 */
 	protected static function ip()
 	{
-		if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) && preg_match('/^[A-Fa-f0-9, \.\:]+$/', $_SERVER['HTTP_X_FORWARDED_FOR']))
+		// No X-Forwarded-For IP
+		if (empty($_SERVER['HTTP_X_FORWARDED_FOR']) || !preg_match('/^[A-Fa-f0-9, \.\:]+$/', $_SERVER['HTTP_X_FORWARDED_FOR']))
 		{
-			$strIp = $_SERVER['HTTP_X_FORWARDED_FOR'];
+			return substr($_SERVER['REMOTE_ADDR'], 0, 64);
+		}
+
+		$strXip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+		$arrTrusted = trimsplit(',', $GLOBALS['TL_CONFIG']['proxyServerIps']);
 
-			// Only show the first IP (see #5830)
-			if (strpos($strIp, ',') !== false)
+		// Generate an array of X-Forwarded-For IPs
+		if (strpos($strXip, ',') !== false)
+		{
+			$arrIps = trimsplit(',', $strXip);
+		}
+		else
+		{
+			$arrIps = array($strXip);
+		}
+
+		$arrIps = array_reverse($arrIps);
+
+		// Return the first untrusted IP address (see #5830)
+		foreach ($arrIps as $strIp)
+		{
+			if (!in_array($strIp, $arrTrusted))
 			{
-				list($strIp,) = trimsplit(',', $strIp);
+				return substr($strIp, 0, 64);
 			}
-
-			return substr($strIp, 0, 64);
 		}
 
+		// If all X-Forward-For IPs are trusted, return the remote address
 		return substr($_SERVER['REMOTE_ADDR'], 0, 64);
 	}