[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP

[Martin Kutschker]

REMINDER

Martin Kutschker schrieb:
> Michael Stucki schrieb:
>> This is a SVN patch request.
>>
>> Problem:
>> When requesting the clients REMOTE_ADDR, it can happen that there is a 
>> proxy
>> in between server and client, which replaces the value with his own 
>> IP, and
>> puts the original IP in HTTP_X_FORWARDED_FOR instead.
>>
>> Solution:
>> Add a new configuration option to send HTTP_X_FORWARDED_FOR when 
>> requesting
>> the REMOTE_ADDR.
> 
> Here's a new patch. This one is more secure as it ties TYPO3 to a set of 
> know proxies. Furthermore you may define that one or more proxies use 
> SSL in connection to the Internet. And additionally it's possibly to add 
> a prefix for http and https proxies in case there is a (weird) path 
> changing proxy setup in place (seems to be the case with some mass 
> SSL-BE hosters).
> 
> What the patch doesn't do is taking care of possible part problems. I 
> guess it's possible that the proxy uses 80, but the internal server uses 
> a non-standard port. This will probably lead to troubles.
> 
>> Comments:
>> I am not sure how to deal with the REMOTE_HOST field. I suppose it 
>> must be
>> wrong, too, but there seems no replacement for it.
>> Currently, I also send HTTP_X_FORWARDED_FOR when asking for REMOTE_HOST,
>> however there could be conflicts when a hostname is requested, and an 
>> IP is
>> returned(?)
> 
> Use HTTP_X_FORWARDED_FOR. My patch doesn't do anything if that is not 
> present, but of course we could do a DNS lookup of the IP address 
> returned in HTTP_X_FORWARDED_FOR.
> 
> Please have a careful look at this patch. I have just now compiled it 
> from my own stuff, ideas of Henning Pingel and Dmitry. That means that 
> the patch as-is it is not tested.
> 
> Masi
>