From d9138fdcbe87ae699ba97079812ff489b3566b2e Mon Sep 17 00:00:00 2001
From: Matteo Nastasi <nastasi@alternativeoutput.it>
Date: Sat, 6 Jan 2018 11:46:51 +0100
Subject: [PATCH] manage real client IP behind nginx https termination

---
 web/Obj/sac-a-push.phh | 16 +++++++++++++---
 web/usermgmt.php       |  7 ++++++-
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/web/Obj/sac-a-push.phh b/web/Obj/sac-a-push.phh
index df6de09..3771d4d 100644
--- a/web/Obj/sac-a-push.phh
+++ b/web/Obj/sac-a-push.phh
@@ -750,15 +750,25 @@ class Sac_a_push {
                         if (($new_socket = ancillary_getstream($new_unix, $stream_info)) !== FALSE) {
                             printf("NEW_SOCKET: %d\n", intval($new_socket));
                             stream_set_blocking($new_socket, $this->blocking_mode); // Set the stream to non-blocking
-                            printf("RECEIVED HEADER:\n%s", $stream_info);
+                            // error_log(sprintf("RECEIVED HEADER:\n%s", $stream_info));
                             if (($path = spu_process_info($stream_info, $method, $header,
                                                           $get, $post, $cookie, $rest, $cont))
                                 == FALSE) {
                                 fprintf(STDERR, "TODO: fix wrong header management\n");
                             }
-                            $addr_full = stream_socket_get_name($new_socket, TRUE);
+
+                            // We try to get real IP from header (passed by proxy) and then fallback to direct connection IP
+                            // error_log(sprintf("addr: [%s]", $addr));
+                            // error_log(sprintf("X-Real-Ip: [%s]", array_key_exists('X-Real-Ip', $header) ? $header['X-Real-Ip'] : "Not exists"));
+                            if (array_key_exists('X-Real-Ip', $header)) {
+                                $addr = $header['X-Real-Ip'];
+                            }
+                            else {
+                                $addr = addrtoipv4(stream_socket_get_name($new_socket, TRUE));
+                            }
+
                             // FOR TEST $header['X-Forwarded-For'] = '154.155.22.33';
-                            $addr = $this->pproxy_realip($header, addrtoipv4($addr_full));
+                            $addr = $this->pproxy_realip($header, $addr);
 
                             printf("PATH: [%s] [%s]\n", $path, print_r($header, TRUE));
                             if ($method == "POST" && $rest > 0) {
diff --git a/web/usermgmt.php b/web/usermgmt.php
index 51681d7..3aa9fed 100644
--- a/web/usermgmt.php
+++ b/web/usermgmt.php
@@ -84,7 +84,12 @@ function check_auth()
 
     $socket = FALSE;
     $ret = FALSE;
-    $ip = $_SERVER["REMOTE_ADDR"];
+    if (array_key_exists("HTTP_X_REAL_IP", $_SERVER)) {
+        $ip = $_SERVER["HTTP_X_REAL_IP"];
+    }
+    else {
+        $ip = $_SERVER["REMOTE_ADDR"];
+    }
     $stp = 0;
     $private = md5($G_alarm_passwd.$ip.$sess);
     $cmd = array ("cmd" => "userauth", "sess" => $sess, "private" => $private, "the_end" => "true");
-- 
2.17.1