Commit f337abfa authored by Gábor Hojtsy's avatar Gábor Hojtsy

#173408 by markus_petrux / add1sun: move proxy IP configuration options to...

#173408 by markus_petrux / add1sun: move proxy IP configuration options to settings.php, because these need to be used before Drupal has the variables loaded from the database
parent 6dd28caf
......@@ -1101,9 +1101,14 @@ function ip_address() {
if (!isset($ip_address)) {
$ip_address = $_SERVER['REMOTE_ADDR'];
if (variable_get('reverse_proxy', 0) && array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
// If there are several arguments, we need to check the most
// recently added one, ie the last one.
$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
// If an array of known reverse proxy IPs is provided, then trust
// the XFF header if request really comes from one of them.
$reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array());
if (!empty($reverse_proxy_addresses) && in_array($ip_address, $reverse_proxy_addresses, TRUE)) {
// If there are several arguments, we need to check the most
// recently added one, i.e. the last one.
$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
}
}
}
......
......@@ -1249,20 +1249,6 @@ function system_performance_settings() {
'#description' => t("This option can interfere with module development. It is recommended to only turn this on when your site is complete."),
);
$form['reverse_proxy'] = array(
'#type' => 'fieldset',
'#title' => t('Reverse proxy'),
'#description' => t('Proper extraction of client IP addresses when Drupal is behind a reverse proxy.'),
);
$form['reverse_proxy']['reverse_proxy'] = array(
'#type' => 'radios',
'#title' => t('Reverse proxy'),
'#default_value' => variable_get('reverse_proxy', FALSE),
'#options' => array(t('Disabled'), t('Enabled')),
'#description' => t('Enable this setting to determine the correct IP address of the remote client by examining information stored in the X-Forwarded-For headers. X-Forwarded-For headers are a standard mechanism for identifying client systems connecting through a reverse proxy server, such as Squid or Pound. Reverse proxy servers are often used to enhance the performance of heavily visited sites and may also provide other site caching, security or encryption benefits. If this Drupal installation operates behind a reverse proxy, this setting should be enabled so that correct IP address information is captured in Drupal\'s session management, logging, statistics and access management systems; if you are unsure about this setting, do not have a reverse proxy, or Drupal operates in a shared hosting environment, this setting should be set to disabled.'),
);
$form['#submit'][] = 'drupal_clear_css_cache';
$form['#submit'][] = 'drupal_clear_js_cache';
......
......@@ -172,6 +172,34 @@
# 'site_name' => 'My Drupal site',
# 'theme_default' => 'minnelli',
# 'anonymous' => 'Visitor',
/**
* reverse_proxy accepts a boolean value.
*
* Enable this setting to determine the correct IP address of the remote
* client by examining information stored in the X-Forwarded-For headers.
* X-Forwarded-For headers are a standard mechanism for identifying client
* systems connecting through a reverse proxy server, such as Squid or
* Pound. Reverse proxy servers are often used to enhance the performance
* of heavily visited sites and may also provide other site caching,
* security or encryption benefits. If this Drupal installation operates
* behind a reverse proxy, this setting should be enabled so that correct
* IP address information is captured in Drupal's session management,
* logging, statistics and access management systems; if you are unsure
* about this setting, do not have a reverse proxy, or Drupal operates in
* a shared hosting environment, this setting should be set to disabled.
*/
# 'reverse_proxy' => TRUE,
/**
* reverse_proxy accepts an array of IP addresses.
*
* Each element of this array is the IP address of any of your reverse
* proxies. Filling this array Drupal will trust the information stored
* in the X-Forwarded-For headers only if Remote IP address is one of
* these, that is the request reaches the web server from one of your
* reverse proxies. Otherwise, the client could directly connect to
* your web server spoofing the X-Forwarded-For headers.
*/
# 'reverse_proxy_addresses' => array('a.b.c.d', ...),
# );
/**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment