By desm0n on

OK this one is going to be a bit of a problem.

I run a local niche site and almost all the members will be using the same ISP (namely NTL). Unfortunately Drupal is recording the proxy address and not the real IP so all entries, regardless of user, are 213.105.224.15 which is our local hub.

This means annon members cannot vote and i cannot obtain log information on a member if the needs to ban on an IP level are needed.

Is there a solution to this ? I'm running the latest 4.7.2.

Please help.

Categories: Drupal 4.7.x

Comments

Cromicon’s picture

Cromicon commented

Hi,

This is because it's looking for the $_SERVER['REMOTE_ADDR'] variable which is set by the proxy with it's own IP. The actual user IP is stored in the $_SERVER['HTTP_X_FORWARDED_FOR'] so a quick and very dirty unrecommended fix is to replace instances of ['REMOTE_ADDR'] with ['HTTP_X_FORWARDED_FOR']....

However, if you do that then if anyone is not using a proxy the ['HTTP_X_FORWARDED_FOR'] doesn't hold information because the http requests weren't actually forwarded by a proxy so you get no IP information, that's why its a quick and dirty fix.

The best solution would be to check for $_SERVER['HTTP_X_FORWARDED_FOR'] and if it has information, to use that. If not then use $_SERVER['REMOTE_ADDR'] so some logic would need to be coded for that.

desm0n’s picture

desm0n commented

Thanks for the reply. As you say it needs some logic to work in both stuations i think.

Maybe this is something that seriously needs addressing as it renders annon access almost completely non functional due to the likely hood of using the same cache. Also you can't track or ban a user via IP as its unrealable you may inadvertently ban an entire ISP.

I think drupal core should be changed in this light to record real ip addresses and not thr proxy ones.

What does everyone else think ?

Cromicon’s picture

Cromicon commented

Personally, I agree with you. As more and more people switch to DSL/cable this is going to become more of an issue than it already is. In fact, I'd be very surprised if it's not been discussed before somewhere along the line.

If I had the knowledge of PHP I'd do it and submit it myself. If anyone can have a go at this I'd gladly add it to my own sites core and cross my fingers the drupal team introduce it. It's a good potential fix.

Steven’s picture

Steven commented

The problem is that it is easy to fake X_FORWARDED_FOR when you are not using a proxy. So if you want to use it to avoid duplicate voting, you're inviting abuse.

--
If you have a problem, please search before posting a question.

desm0n’s picture

desm0n commented

Voting always lends itself to abuse in whatever system you use :( Its just part of the course i think.

However having the real IP is at least advantagious for numerous other benefits, including voting.

If the member is abusive you could report them to their ISP for instance, ban them etc. You'll also have a recognised record of where they are coming from.

Granted again IP's can be spoofed with third party websites and software so no system is going to be perfect but i feel at least establishing the real IP of a proxied user is a start. As it is now, for the most part, the IP we are handed is next to useless.

desm0n’s picture

desm0n commented

Yes i'm extremely surprised it hasn't already been implemented in all honesty. All my demographics are from one small catchment area and all i see reported in the logs of drupal are the proxied IP. This means that if a member is abusive i could only ban his username and not issue a permanent ban through his IP address either within drupal or through.htaccess. Phpbb, vbulletin or countless other CMS and forum software record the IP, not the proxy so its achievable.

Likewise voting and other modules that rely on checking for IP will not function at the level they should as everyone, in essence, has the same IP. We opened voting up to annon members, one voted and then it meant no other in the area could without having an account and logging in. Making it defunct :(

Lets hope someone, somewhere can commit some changed to cor on this as its much needed.

Cromicon’s picture

Cromicon commented

This is the type of code we need I think. Could do with some integration work as it's a just snippet that displays information and little else but the logic is there.

< ?php
if($HTTP_X_FORWARDED_FOR):
        echo "Proxy Name $HTTP_VIA";
        echo "Proxy IP $REMOTE_ADDR";
        echo  gethostbyaddr;
        echo "Your Real IP $HTTP_X_FORWARDED_FOR";
else:
 // if access direct to Internet, without Proxy
        echo "Real IP $REMOTE_ADDR";
endif;
? >
Cromicon’s picture

Cromicon commented

Actually this may be more necessary than I thought. It could be user error but my neighbour is on NTL as I am and we both share the same proxy. When I log off the site, Drupal appears to log her off too!

What module needs to be altered? Is it user.module?

desm0n’s picture

desm0n commented

This is what i've been trying to say.

The way drupal refers to I.P at the moment is wrong and needs addressing. Other modules rely on drupal core for the IP and some functions are not usuable the way it is now.

Using proxy IP's and ISP caches opens up lots of issues and reduces features in modules. We really need this addressed i feel and i'm quite amazed that drupal has reached 4.7 without the issue coming to light.

Cromicon’s picture

Cromicon commented

Test this out. http://drupal.org/node/72071
I asked for help in the core forum and Kompressor wrote some code out we can try.