Details
-
Improvement
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Won't Fix
-
3.0.9
-
None
-
PHP 5.3.6, MySQL 5.1.57-rel12.8, Firefox 5
Description
Support topics: http://www.phpbb.com/community/viewtopic.php?f=46&t=2122051
When phpbb is behind a reverse proxy, REMOTE_ADDR is the IP address of the proxy and not of board users. This behavior usually manifests itself as that same IP address displayed in ACP logs. However I believe we also have an option to tying sessions to IP addresses or networks, and in the case of everyone having the same IP the security of that option is nullified.
It is currently impossible to tell phpbb to use a value in e.g. X-Forwarded-For header instead of REMOTE_ADDR for the purpose of determining users' IP addresses. We should investigate if just offering the option of using X-Forwarded-For would be enough, or if we would need to support arbitrary headers.
X-Forwarded-For is used by (non-reverse) proxies. Therefore this option should be off by default. It should only be turned on by administrators who are behind a reverse proxy, and we should only take the most recently appended value of that header as the user's IP address (i.e., not follow it all the way).
Attachments
Issue Links
- is related to
-
PHPBB3-14481 phpBB does not obey HTTP_X_FORWARDED_PORT header
-
- Closed
-