Take care of X-Forwarded-For header only if Remote-Addr is known, in ip_address() [#185302]

Hi,

I'm currently checking Drupal before using it. First, we're going to use it for user blogs, then we plan to move almost the whole features of the site.

The web servers (Apaches) of this site are located behing a reverse proxy (Squid in accel mode), so it's nice to see that now Drupal has implemented a method in core to capture the IP used by the user. Related issues: 142773 and 169263, I think.

So... we could enable the option that makes function ip_address() look at the X-Forwarded-For header and it seems it's ok like that, BUT...

...the site is reachable also from direct access to the web servers, bypassing Squid, hence opening the possibility for users to spoof their IP addresses.

So, if a site's behind a reverse proxy (actually 2 of them) but can also be reached directly (direct access to the Apaches for several reasons is alloed), the user IP address can still be spoofed. That's the reason I'm flagging this issue as a bug report, not sending it to the security team 'cause as far as I can tell, this affects only 6.x which is in beta stage.

The only solution to this I can think now is to patch the code so the X-Forwarded-For header is tructed only when the request really comes from the reverse proxy. Maybe adding config options to allow site admis enter the reverse proxy IPs.

In the meantime, we'll probably open the blog functionally before 6.x gets finished, so we've focussed on 5.x. Here I've implemented the same functionallity through a code snippet added to the settings.php script, which is executed on top of almost anything else. In this code snippet I'm trusting the X-Forwarded-For header ONLY if Remote-Addr is known, ie. it corresponds to the IP address of one of our proxies. Otherwise, it's a sign that the request reaches the web server from somewhere else, and that's the IP address that we need to look at as the user IP.

Comments

Comment #1

markus_petrux commented 6 November 2007 at 12:11

Status:

Closed (duplicate)

» Active

If that helps, the code snippet we will be using in settings.php looks like this:

/**
 * If Drupal is behind a reverse proxy, we use the X-Forwarded-For header
 * instead of $_SERVER['REMOTE_ADDR'], which would be the IP address
 * of the proxy server, and not the client's.
 * BUT, we can only trust the X-Forwarded-For header if $_SERVER['REMOTE_ADDR']
 * matches one of our reverse proxies. Otherwise, it's a sign that someone is
 * trying to spoof the client's IP address, so we end the request just here.
 */
$squid_ips = array(
  'xxx.xxx.xxx.xxx',
  'xxx.xxx.xxx.xxx'
);
// If there's a proxy cache header in place...
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
  // Abort if client ip is not one of known proxies.
  if (!in_array($_SERVER['REMOTE_ADDR'], $squid_ips)) {
    echo 'ERROR: 0101';
    exit;
  }
  // If there are several arguments, the leftmost one is the farthest client
  $proxy_ip = trim(array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])));
  // Validate the format of the IP that comes from a potentially spoofed header
  if (!preg_match('#^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$#', $proxy_ip, $proxy_ip_parts)) {
    echo 'ERROR: 0102';
    exit;
  }
  unset($proxy_ip_parts[0]);
  $proxy_ip_parts = array_map('intval', $proxy_ip_parts);
  $proxy_ip_numfixed = implode('.', $proxy_ip_parts);
  if ($proxy_ip_numfixed != $proxy_ip) {
    echo 'ERROR: 0103';
    exit;
  }
  // Ok, let's take the X-Forwarded-For header as Remote-Addr.
  $_SERVER['REMOTE_ADDR'] = $proxy_ip;
}