From d9138fdcbe87ae699ba97079812ff489b3566b2e Mon Sep 17 00:00:00 2001 From: Matteo Nastasi Date: Sat, 6 Jan 2018 11:46:51 +0100 Subject: [PATCH] manage real client IP behind nginx https termination --- web/Obj/sac-a-push.phh | 16 +++++++++++++--- web/usermgmt.php | 7 ++++++- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/web/Obj/sac-a-push.phh b/web/Obj/sac-a-push.phh index df6de09..3771d4d 100644 --- a/web/Obj/sac-a-push.phh +++ b/web/Obj/sac-a-push.phh @@ -750,15 +750,25 @@ class Sac_a_push { if (($new_socket = ancillary_getstream($new_unix, $stream_info)) !== FALSE) { printf("NEW_SOCKET: %d\n", intval($new_socket)); stream_set_blocking($new_socket, $this->blocking_mode); // Set the stream to non-blocking - printf("RECEIVED HEADER:\n%s", $stream_info); + // error_log(sprintf("RECEIVED HEADER:\n%s", $stream_info)); if (($path = spu_process_info($stream_info, $method, $header, $get, $post, $cookie, $rest, $cont)) == FALSE) { fprintf(STDERR, "TODO: fix wrong header management\n"); } - $addr_full = stream_socket_get_name($new_socket, TRUE); + + // We try to get real IP from header (passed by proxy) and then fallback to direct connection IP + // error_log(sprintf("addr: [%s]", $addr)); + // error_log(sprintf("X-Real-Ip: [%s]", array_key_exists('X-Real-Ip', $header) ? $header['X-Real-Ip'] : "Not exists")); + if (array_key_exists('X-Real-Ip', $header)) { + $addr = $header['X-Real-Ip']; + } + else { + $addr = addrtoipv4(stream_socket_get_name($new_socket, TRUE)); + } + // FOR TEST $header['X-Forwarded-For'] = '154.155.22.33'; - $addr = $this->pproxy_realip($header, addrtoipv4($addr_full)); + $addr = $this->pproxy_realip($header, $addr); printf("PATH: [%s] [%s]\n", $path, print_r($header, TRUE)); if ($method == "POST" && $rest > 0) { diff --git a/web/usermgmt.php b/web/usermgmt.php index 51681d7..3aa9fed 100644 --- a/web/usermgmt.php +++ b/web/usermgmt.php @@ -84,7 +84,12 @@ function check_auth() $socket = FALSE; $ret = FALSE; - $ip = $_SERVER["REMOTE_ADDR"]; + if (array_key_exists("HTTP_X_REAL_IP", $_SERVER)) { + $ip = $_SERVER["HTTP_X_REAL_IP"]; + } + else { + $ip = $_SERVER["REMOTE_ADDR"]; + } $stp = 0; $private = md5($G_alarm_passwd.$ip.$sess); $cmd = array ("cmd" => "userauth", "sess" => $sess, "private" => $private, "the_end" => "true"); -- 2.17.1