Skip to content
Snippets Groups Projects

Issue #3425451 by harivenuv, bohart: Handle multiple IPs in the header (split and use first valid one).

Merged Issue #3425451 by harivenuv, bohart: Handle multiple IPs in the header (split and use first valid one).
issue/reverse_proxy_header-3425451:3425451-1.1.x-multiple_ips into 1.1.x
Merged Bohdan Artemchuk requested to merge issue/reverse_proxy_header-3425451:3425451-1.1.x-multiple_ips into 1.1.x
Compare
and
3 files
+ 77
61
Compare changes
  • Side-by-side
  • Inline
Files
3
src/EventSubscriber/ReverseProxyHeaderClientIpRestore.php
+ 22
12
@@ -73,25 +73,35 @@ class ReverseProxyHeaderClientIpRestore implements EventSubscriberInterface {
*/
public function onRequest(RequestEvent $event): void {
// Check the available settings.
// Checks the available settings.
$reverse_proxy_header_name = $this->settings->get('reverse_proxy_header');
if (!$reverse_proxy_header_name) {
return;
}
// Check the header value.
$current_request = $event->getRequest();
$connecting_ip = $current_request->server->get($reverse_proxy_header_name);
if ($this->isInvalidIpAddress($connecting_ip, $reverse_proxy_header_name)) {
// Checks the header value.
$connecting_ips = $event->getRequest()->server->get($reverse_proxy_header_name);
if (empty($connecting_ips)) {
$this->logger->notice('Empty value retrieved from @header_name header.', ['@header_name' => $reverse_proxy_header_name]);
return;
}
// As the changed remote address will make it impossible to determine
// a trusted proxy, we need to make sure we set the right protocol as well.
// @see \Symfony\Component\HttpFoundation\Request::isSecure()
$event->getRequest()->server->set('HTTPS', $event->getRequest()->isSecure() ? 'on' : 'off');
$event->getRequest()->server->set('REMOTE_ADDR', $connecting_ip);
$event->getRequest()->overrideGlobals();
// Extracts the first valid IP address from the header.
$connecting_ips = array_map('trim', explode(',', $connecting_ips));
foreach ($connecting_ips as $connecting_ip) {
if (!$this->isInvalidIpAddress($connecting_ip, $reverse_proxy_header_name)) {
// As the changed remote address will make it impossible to determine
// a trusted proxy, we need to make sure we set the right protocol.
// @see \Symfony\Component\HttpFoundation\Request::isSecure()
$event->getRequest()->server->set('HTTPS', $event->getRequest()->isSecure() ? 'on' : 'off');
$event->getRequest()->server->set('REMOTE_ADDR', $connecting_ip);
$event->getRequest()->overrideGlobals();
return;
}
}
$this->logger->notice('No valid IP address found in the @header_name header.', ['@header_name' => $reverse_proxy_header_name]);
}
/**
@@ -115,7 +125,7 @@ class ReverseProxyHeaderClientIpRestore implements EventSubscriberInterface {
];
if (empty($ip_address)) {
$this->logger->notice('Empty IP address value retrieved from @header_name header is invalid.', $variables);
$this->logger->notice('Empty IP address value retrieved from @header_name header.', $variables);
return TRUE;
}