HTTP_X_FORWARDED_FOR being ignored?

  • Resolved rubendura

    (@rubendura)


    10 years ago

    I recently improved my site by adding AutoScaling and HTTPS.
    I am deploying on AWS, the load balancer acts as SSL termination and I’ve got a rewrite rule on my Apache config to redirect all traffic through HTTPS.
    After doing this the settings page for ip geo block seems to ignore the option where I can set extra $_SERVER keys to retrieve IPs from. Previously, once I configured this setting to HTTP_X_FORWARDED_FOR the IP shown at the top of the settings page was properly set (or so I think) and I wouldn’t be locked out of the site. Now, even after configuring it, the server always displays $_SERVER[‘REMOTE_ADDR’] in the settings page and once I log out I’ll be locked out until I clear the caches.

    I’ve been struggling all day to get this fixed but I run out of ideas. I checked that the X-Forwarded-For header is properly set. Replacing $_SERVER[‘REMOTE_ADDR’] at runtime with $_SERVER[‘HTTP_X_FORWARDED_FOR’] shouldn’t be necessary and I’d would even argue is really bad practice.

    What can I be doing wrong in this setup? Is it a bug on the plugin or is there anything I might be missing?

    Thanks

    https://ww.wp.xz.cn/plugins/ip-geo-block/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author tokkonopapa

    (@tokkonopapa)

    10 years ago

    First of all, this plugin always display (at the top of settings page) and validate IP address from $_SERVER['REMOTE_ADDR']. And the option “$_SERVER keys to retrieve extra IP addresses” does not replace it to $_SERVER['HTTP_X_FORWARDED_FOR'] but validate both $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_X_FORWARDED_FOR'].

    So in your case, $_SERVER['REMOTE_ADDR'] should be replaced to $_SERVER['HTTP_X_FORWARDED_FOR']. This is a similar case as CloudFlare.

    To do this replacement, please try to add the following code at somewhere in your functions.php.

    $_SERVER['REMOTE_ADDR'] = isset($_SERVER["HTTP_X_FORWARDED_FOR"]) ? $_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"];

    You should be careful in case the visitor request to your server with http header X-Forwarded-For. I don’t know how does your server (including load balancer) handle such a case. Typically, $_SERVER["HTTP_X_FORWARDED_FOR"] looks like “aaa.bbb.ccc.ddd,eee.fff.ggg.hhh“. In this case, you should extract the correct IP.

    I hope this answer might help you.

    Thread Starter rubendura

    (@rubendura)

    10 years ago

    Apparently ELBs append the originating IP to any X-Forwarded-For headers, so I guess that by replacing REMOTE_ADDR with the last address coming from X-Forwarded-For there shouldn’t be a way to spoof it by just using HTTP headers.
    Unless I’m wrong, it could be spoofed by other methods that attackers would also use to spoof REMOTE_ADDR if there was no ELB and that would still be a problem in any other case, so I’m happy with that for now.

    Thanks for your help.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    10 years ago

    Hi rubendura,

    Although I don’t have any experience to use Elastic Load Balancing, it’s quite important how the ELB embed a visitor’s IP address into X-Forwarded-For.

    it could be spoofed by other methods that attackers would also use to spoof REMOTE_ADDR if there was no ELB and that would still be a problem in any other case

    It’s true. Spoofing http header such as HTTP_X_FORWARDED_FOR is very easy. That’s why this plugin never whitelist the IP address in HTTP_X_FORWARDED_FOR or other $_SERVER keys.

    I hope your success.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘HTTP_X_FORWARDED_FOR being ignored?’ is closed to new replies.