Merge pull request #869 from thoughever/reverse_proxy

X-Real-IP support and Varnish PURGE config options

core/captcha.php

@@ -11,7 +11,7 @@ function captcha_get_html(): string
 {
     global $config, $user;
 
-    if (DEBUG && ip_in_range($_SERVER['REMOTE_ADDR'], "127.0.0.0/8")) {
+    if (DEBUG && ip_in_range(get_real_ip(), "127.0.0.0/8")) {
         return "";
     }
 
@@ -34,7 +34,7 @@ function captcha_check(): bool
 {
     global $config, $user;
 
-    if (DEBUG && ip_in_range($_SERVER['REMOTE_ADDR'], "127.0.0.0/8")) {
+    if (DEBUG && ip_in_range(get_real_ip(), "127.0.0.0/8")) {
         return true;
     }
 
@@ -42,7 +42,7 @@ function captcha_check(): bool
         $r_privatekey = $config->get_string('api_recaptcha_privkey');
         if (!empty($r_privatekey)) {
             $recaptcha = new ReCaptcha($r_privatekey);
-            $resp = $recaptcha->verify($_POST['g-recaptcha-response'] ?? "", $_SERVER['REMOTE_ADDR']);
+            $resp = $recaptcha->verify($_POST['g-recaptcha-response'] ?? "", get_real_ip());
 
             if (!$resp->isSuccess()) {
                 log_info("core", "Captcha failed (ReCaptcha): " . implode("", $resp->getErrorCodes()));

core/imageboard/image.php

@@ -389,7 +389,7 @@ class Image
 				    :posted, :source
 				)",
                 [
-                    "owner_id" => $user->id, "owner_ip" => $_SERVER['REMOTE_ADDR'],
+                    "owner_id" => $user->id, "owner_ip" => get_real_ip(),
                     "filename" => $cut_name, "filesize" => $this->filesize,
                     "hash" => $this->hash, "mime" => strtolower($this->mime),
                     "ext" => strtolower($this->ext),

core/sys_config.php

@@ -34,3 +34,4 @@ _d("EXTRA_EXTS", "");           // string   optional extra extensions
 _d("BASE_HREF", null);          // string   force a specific base URL (default is auto-detect)
 _d("TRACE_FILE", null);         // string   file to log performance data into
 _d("TRACE_THRESHOLD", 0.0);     // float    log pages which take more time than this many seconds
+_d("REVERSE_PROXY_X_HEADERS", false);     // boolean  get request IPs from "X-Real-IP" and protocol from "X-Forwarded-Proto" HTTP headers

core/util.php

@@ -66,7 +66,7 @@ function contact_link(): ?string
 function is_https_enabled(): bool
 {
     // check forwarded protocol
-    if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
+    if (REVERSE_PROXY_X_HEADERS && !empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
         $_SERVER['HTTPS']='on';
     }
     return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
@@ -160,6 +160,29 @@ function check_im_version(): int
     return (empty($convert_check) ? 0 : 1);
 }
 
+/**
+ * Get request IP
+ */
+
+function get_remote_addr() {
+  return $_SERVER['REMOTE_ADDR'];
+}
+/**
+ * Get real IP if behind a reverse proxy
+ */
+
+function get_real_ip() {
+  $ip = get_remote_addr();
+  if (REVERSE_PROXY_X_HEADERS && isset($_SERVER['HTTP_X_REAL_IP'])) {
+    $ip = $_SERVER['HTTP_X_REAL_IP'];
+    if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
+      $ip = "0.0.0.0";
+    }
+  }
+  
+  return $ip;
+}
+
 /**
  * Get the currently active IP, masked to make it not change when the last
  * octet or two change, for use in session cookies and such
@@ -167,7 +190,7 @@ function check_im_version(): int
 function get_session_ip(Config $config): string
 {
     $mask = $config->get_string("session_hash_mask", "255.255.0.0");
-    $addr = $_SERVER['REMOTE_ADDR'];
+    $addr = get_real_ip(); 
     $addr = inet_ntop(inet_pton($addr) & inet_pton($mask));
     return $addr;
 }
@@ -799,3 +822,4 @@ function generate_key(int $length = 20): string
 
     return $randomString;
 }
+