added proxy_ips config item to whitelist reverse proxy servers to use the HTTP_X_FORWARDED_FOR header safely to determine the visitor's IP address
diff --git a/system/application/config/config.php b/system/application/config/config.php
index 58309d8..fae962e 100644
--- a/system/application/config/config.php
+++ b/system/application/config/config.php
@@ -311,6 +311,19 @@
$config['rewrite_short_tags'] = FALSE;
+/*
+|--------------------------------------------------------------------------
+| Reverse Proxy IPs
+|--------------------------------------------------------------------------
+|
+| If your server is behind a reverse proxy, you must whitelist the proxy IP
+| addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR
+| header in order to properly identify the visitor's IP address.
+| Comma-delimited, e.g. '10.0.1.200,10.0.1.201'
+|
+*/
+$config['proxy_ips'] = '';
+
/* End of file config.php */
/* Location: ./system/application/config/config.php */
\ No newline at end of file
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index e879e2d..6491d17 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -346,8 +346,15 @@
{
return $this->ip_address;
}
+
+ if ($this->config->item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR'))
+ {
+ $proxies = preg_split('/[\s,]/', $this->config->item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY);
+ $proxies = is_array($proxies) ? $proxies : array($proxies);
- if ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
+ $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
+ }
+ elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
{
$this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
}
@@ -373,7 +380,7 @@
if (strstr($this->ip_address, ','))
{
$x = explode(',', $this->ip_address);
- $this->ip_address = end($x);
+ $this->ip_address = trim(end($x));
}
if ( ! $this->valid_ip($this->ip_address))
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index f5e7bc9..7892dc3 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -90,6 +90,8 @@
<ul>
<li>Improved security in <kbd>xss_clean()</kbd> to help prevent attacks targeting Internet Explorer.</li>
<li>Added 'application/msexcel' to config/mimes.php for .xls files.</li>
+ <li>Added 'proxy_ips' config item to whitelist reverse proxy servers from which to trust the HTTP_X_FORWARDED_FOR header to
+ to determine the visitor's IP address.</li>
</ul>
</li>
</ul>