Invalid detected URL when behind a reverse-proxy

[mossroy]

If CensorDodge is accessed through a reverse-proxy, it does not work.

The main page is displayed, but with no stylesheet/images. After typing a URL and hitting "Go!", the error message "The use of hotlinking is strictly forbidden on this server!" is displayed and nothing else happens.

It's certainly because some of the resource URLs injected in the HTML page are based on the cdURL variable, that tries to reconstruct the browser URL on the server side (at the beginning of includes/class.censorDodge.php). It uses the variable $_SERVER['HTTP_HOST'] to know the server name, which gives the IP or name of the server that runs the PHP code, instead of the actual IP or name used by the browser (which points to the reverse-proxy).

It can be possible to reconstruct the browser URL if the reverse proxy sends the X-FORWARDED- headers (which is usually the case). But it can introduce security issues, because these headers can be manually set by a malicious user. To do that safely, you would have to add a setting of which IPs/names are trusted : the X-FORWARDED- headers would be used only if the HTTP request comes from one of these IPs (the ones of your reverse-proxies). It would work safely, but would make the code and configuration more complicated.

So I naively wonder if this cdURL variable is really necessary? The HTML probably could simply use relative URLs. I suppose you need it to prevent hotlinking?

[jackblk]

@ryanmab I see that this is closed but I still have this issue on my reverse proxy. Is there any fix or workaround?