Usage behind a proxy is working fine, but missing in the README

[michael-e]

Maybe we should add the following facts to the README?

If you are using Symphony on a server that sits behind a proxy, it will always track 127.0.0.1 as remote address, simply because PHP doesn't see anything else in $_SERVER['REMOTE_ADDR']. This is, of course, really bad.

Fortunately the extension already offers a simple mechanism to fix this problem. In /manifest/config.php, you can add an additional setting:

'remote-addr-key' => 'HTTP_X_FORWARDED_FOR',

(In most cases the name of the header provided by the proxy will be HTTP_X_FORWARDED_FOR, but this doesn't need to be the case. A badly configured proxy may not add an additional header at all. So you must do some research if it doesn't work.)

[nitriques]

I completly agree with you, I should at least add some notes in the README.

[nitriques]

I think I'll add a proper input text in the settings page as well. Thanks for the feedback!

[michael-e]

Thank you!

[nitriques]

1.4.2 is out with a simple fix: the note in the readme. I've created #20 for the setting UI. Thanks again.

[nitriques]

@michael-e Did you ever came across something like this ?

function getIPfromXForwarded() { 
    $ipString=@getenv("HTTP_X_FORWARDED_FOR"); 
    $addr = explode(",",$ipString); 
    return $addr[sizeof($addr)-1]; 
} 

From a comment in http://php.net/manual/en/function.getenv.php

Should we pro-actively do it ? I never had a proxy with multiple IP in X-foward, but I think it's legit...

Should we trust only the last ?

[michael-e]

I never knew. But I did a quick test using my Apache logs. In my setup nginx is the frontend (SSL) HTTP server, proxying all "dynamic" stuff to Apache. Normally nginx adds one IP address to the header in question.

Using Rested on my Mac, I made a request with a faked X-Forwarded-For header containing the value 1.1.1.1. nginx obviously just added my real IP to the existing fake value, separated by comma, before passing it to Apache:

1.1.1.1, 87.168.137.89 - - [29/Jul/2014:10:16:56 +0200] "GET /symphony/ HTTP/1.0" 200 1386 "-" (…)

(Real IP has been edited to increase privacy.)

So yes, this header can contain multiple IP addresses. But in our case, why not display them all?

Unfortunately, the second value is being cut off, because the length of the databse field is 16. You can see it in the Symphony backend:

So I would suggest to increase the length of the field to 256 and simply save the complete value. It is potentially more useful than just one IP address from the string.

[nitriques]

I'll have to do more research on that.... Thanks a lot for your input though!

[nitriques]

@michael-e

I've push a couple of commits regarding our latest discussion. If you are willing to test and risk explosion, please be my guest. I think the commit messages are self-explanatory.

[michael-e]

Works great! Feel free to close this issue!

[nitriques]

Awesome!

[michael-e]

Awesome as in "closing this issue" or awesome as in "there is still a bunch of work"? :-)

[nitriques]

I meant closing, but the other one sounds great too :)