#120 Use HTTP_X_REAL_IP to log ip addresses

2015-02-17 18:31:52 +00:00 · 2015-02-17 18:31:52 +00:00 · a85d7174e5
parent 75b42a68ff
commit a85d7174e5
2 changed files with 21 additions and 4 deletions
--- a/lam/HISTORY
+++ b/lam/HISTORY
@ -2,6 +2,7 @@ March 2015
  - templates for server profiles
  - Unix/Personal: support SASL as password hash type
  - PDF export: added option to print primary group members
+  - Use HTTP_X_REAL_IP/HTTP_X_FORWARDED_FOR to log IP addresses (RFE 120)
  - LAM Pro:
   -> Personal: support image file size limit and cropping (requires php-imagick) in self service

--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@ -76,13 +76,13 @@ function startSecureSession($redirectToLogin = true, $initSecureData = false) {
 	// check session id
 	if (! isset($_SESSION["sec_session_id"]) || ($_SESSION["sec_session_id"] != session_id())) {
 		// session id is invalid
-		logNewMessage(LOG_WARNING, "Invalid session ID, access denied (" . $_SERVER['REMOTE_ADDR'] . ")");
+		logNewMessage(LOG_WARNING, "Invalid session ID, access denied (" . getClientIPForLogging() . ")");
 		die();
 	}
 	// check if client IP has not changed
 	if (!isset($_SESSION["sec_client_ip"]) || ($_SESSION["sec_client_ip"] != $_SERVER['REMOTE_ADDR'])) {
 		// IP is invalid
-		logNewMessage(LOG_WARNING, "Client IP changed, access denied (" . $_SERVER['REMOTE_ADDR'] . ")");
+		logNewMessage(LOG_WARNING, "Client IP changed, access denied (" . getClientIPForLogging() . ")");
 		die();
 	}
 	// check if session time has not expired
@ -133,7 +133,7 @@ function checkClientIP() {
 	}
 	// stop script is client may not access LAM
 	if (!$grantAccess) {
-		logNewMessage(LOG_WARNING, "Invalid client IP, access denied (" . $_SERVER['REMOTE_ADDR'] . ")");
+		logNewMessage(LOG_WARNING, "Invalid client IP, access denied (" . getClientIPForLogging() . ")");
 		die();
 	}
 }
@ -215,7 +215,7 @@ function logNewMessage($level, $message) {
 	// check if log level is high enough
 	elseif ($cfg->logLevel < $level) return;
 	// ok to log, build log message
-	$prefix = "LDAP Account Manager (" . session_id() . ' - ' . $_SERVER['REMOTE_ADDR'] . ") - " . $possibleLevels[$level] . ": ";
+	$prefix = "LDAP Account Manager (" . session_id() . ' - ' . getClientIPForLogging() . ") - " . $possibleLevels[$level] . ": ";
 	$message = $prefix . $message;
 	// Syslog logging
 	if ($cfg->logDestination == 'SYSLOG') {
@ -481,4 +481,20 @@ function isLoggedIn() {
 	return (isset($_SESSION['loggedIn']) && ($_SESSION['loggedIn'] === true));
 }

+/**
+ * Returns the client IP and comma separated proxy IPs if any (HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP).
+ * 
+ * @return String client IP (e.g. 10.10.10.10,11.11.11.11)
+ */
+function getClientIPForLogging() {
+	$ip = $_SERVER['REMOTE_ADDR'];
+	if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) && (strlen($_SERVER['HTTP_X_FORWARDED_FOR']) < 100)) {
+		$ip .= ',' . $_SERVER['HTTP_X_FORWARDED_FOR'];
+	}
+	if (!empty($_SERVER['HTTP_X_REAL_IP']) && (strlen($_SERVER['HTTP_X_REAL_IP']) < 100)) {
+		$ip .= ',' . $_SERVER['HTTP_X_REAL_IP'];
+	}
+	return $ip;
+}
+
 ?>