Client IP logic
-
The client IP check function does the following:
function lz_getip(){ if(isset($_SERVER["REMOTE_ADDR"])){ return $_SERVER["REMOTE_ADDR"]; }elseif(isset($_SERVER["HTTP_X_FORWARDED_FOR"])){ return $_SERVER["HTTP_X_FORWARDED_FOR"]; }elseif(isset($_SERVER["HTTP_CLIENT_IP"])){ return $_SERVER["HTTP_CLIENT_IP"]; } }
Shouldn’t it check REMOTE_ADDR last? We have Varnish in front, and are setting the real client IP in HTTP_X_FORWARDED_FOR. Other reverse proxies set HTTP_CLIENT_IP, but we typically never overwrite or remove REMOTE_ADDR. Thus, REMOTE_ADDR should be a fallback. Otherwise when you block an IP in a reverse proxy situation, you are blocking everybody.
Also, “Your IP Address” in the plugin settings display should use lz_getip; currently it’s hard-coded to show REMOTE_ADDR.
Viewing 6 replies - 1 through 6 (of 6 total)
Viewing 6 replies - 1 through 6 (of 6 total)
- The topic ‘Client IP logic’ is closed to new replies.