Access logger does not log correct remote addresses when serving behind a proxy or load balancer

[acelaya]

Bug Report

Q	A
Version(s)	2.6.3 (probably any version since the access logger exists)

Summary

I have a mezzio app using mezzio-swoole, which is hosted behind a nginx configured as a reverse proxy.

I have configured the access logger like this:

return [

    'mezzio-swoole' => [
        'swoole-http-server' => [
            'logger' => [
                'format' => '%h %l %u "%r" %>s %b',
            ],
        ],
    ],

];

However, I have noticed that the %h part is being replaced by the proxy IP address, instead of the real client address.

I have digged in the code and it looks like it's always using the REMOTE_ADDR server param, when it should be first checking the HTTP_X_FORWARDED_FOR one, and if not found, then fall back to REMOTE_ADDR (I think).

It should potentially check HTTP_X_REAL_IP and HTTP_CLIENT_IP first too, as those are common ways to forward real IP addresses from reverse proxies.

Current behavior

When using the %h or %a modifiers for the access logging format, if the app is served behind a reverse proxy, the proxy IP address is logged.

How to reproduce

Set up a mezzio skeleton app, install swoole and mezzio-swoole and add the logger config provided above.

Then put a reverse proxy in front of the app and try accessing it.

Expected behavior

When using the %h or %a modifiers for the access logging format, if the app is served behind a reverse proxy, the real client IP address is logged.

---

I can provide a fix for this if you think that would be proper solution.

[weierophinney]

I can provide a fix for this if you think that would be proper solution.

Please do!

[acelaya]

I have just created the PR