search

processwire / processwire-requests

ProcessWire feature requests.
40 stars 0 forks source link

Get correct client's IP address in the AWS environment with elastic load balancing #92

Closed karltdev closed 7 years ago

karltdev commented 7 years ago

Short description of the enhancement

To enable getting client's IP address in the AWS environment with Elastic Load Balancing(ELB).

Optional: Steps that explain the enhancement

  1. ELB act as HTTP end point. Processwire can only get ELB's local IP instead of client's IP even though $config->sessionFingerprint set to get client's IP.
  2. http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html ELB pass the client's IP address with "X-Forwarded-For" header.
  3. Maybe hard code X-Forwarded-For into getIP function inside session.php or add ability to set specific header for higher flexibility? Right now it is hard coded to check HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR only.

Current vs. suggested behavior

Current behavior: Pw fails to get client's IP correctly with sessionFingerprint set to use client's IP. Suggested behavior: Pw can get client's IP correctly after adding possibility to read "X-Forwarded-For" header.

Why would the enhancement be useful to users?

Processwire is a great CMF while AWS is the leading cloud platform. Processwire itself is also migrating to AWS envrionment. Developer may need to have scaling for their apps or websites. ELB is essential for scaling inside AWS, but it changes its local IP from time to time randomly. User will get log out in a minute or else. This is not controllable unless we remove IP address in session fingerprint.

matjazpotocnik commented 7 years ago

@karltaidev your link points to https://github.com/processwire/processwire-requests/issues/url ...

karltdev commented 7 years ago

@matjazpotocnik Corrected. Thanks.

LostKobrakai commented 7 years ago

I wouldn't say we should add this because of AWS, but this is also the case for heroku and probably some custom setup reverse proxies as well.

ryancramerdesign commented 7 years ago

@karltaidev See the second argument of the Session::getIP() method, which lets you specify that it should use the X-FORWARDED-FOR header rather than the REMOTE_ADDR: http://processwire.com/api/ref/session/get-i-p/

As far as the fingerprint goes, you can also specify that it should use X-FORWARDED-FOR by using one of the fingerprint options for "client IP" rather than "remote IP". Most likely you'd want option 12 as shown here: https://github.com/processwire/processwire/blob/dev/wire/config.php#L255

Lastly, you might want to consider using a fingerprint option that only uses the useragent (no IP address), option 8. That's because the X-FORWARDED-FOR can be easily faked with client headers, whereas REMOTE_ADDR cannot. That's why we can't have X-FORWARDED-FOR used by any default config settings in PW.

karltdev commented 7 years ago

@ryancramerdesign Thanks Ryan. I made a mistake here sorry. I confirmed that using HTTP_X_FORWARDED_FOR is able to get the value of X-Forwarded-For header. I was using wrong parameter for Session::getIP() method. I am closing this one.