Add support for multiple IP Addresses found in X-Forwarded-For request header

Created on 16 December 2019, about 5 years ago
Updated 22 May 2023, over 1 year ago

Problem

When using a VPN in conjunction with the Cloudflare service using the X-Forwarded-For header to get the user's IP, there are multiple IP addresses returned.

This is documented here: https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Clou...

In this scenario, the CheckIpRestriction function returns an invalid result when the user's IP is in the form:

0.0.0.1, 0.0.0.2 etc.

Proposed solution

The IP addresses should be extracted from this string and tested separately.

Feature request
Status

Active

Component

Code

Created by

🇬🇧United Kingdom spencer95@gmail.com Swansea/Cardiff

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇧🇾Belarus chegor

    #7 works for me. Voting for RTBC

  • 🇦🇺Australia darvanen Sydney, Australia

    This approach would completely open the module up for header spoofing attacks.

    If you want to test the IP address *behind* a VPN, ensure you add the VPN IP address(es) to $settings['reverse_proxy_addresses'] in your settings.php.

Production build 0.71.5 2024