From a85d7174e52fd12026ccc442cdc7f19670a6edb8 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Tue, 17 Feb 2015 18:31:52 +0000
Subject: [PATCH] #120 Use HTTP_X_REAL_IP to log ip addresses

---
 lam/HISTORY          |  1 +
 lam/lib/security.inc | 24 ++++++++++++++++++++----
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/lam/HISTORY b/lam/HISTORY
index 7959e8ba..24272bb6 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -2,6 +2,7 @@ March 2015
   - templates for server profiles
   - Unix/Personal: support SASL as password hash type
   - PDF export: added option to print primary group members
+  - Use HTTP_X_REAL_IP/HTTP_X_FORWARDED_FOR to log IP addresses (RFE 120)
   - LAM Pro:
    -> Personal: support image file size limit and cropping (requires php-imagick) in self service
 
diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index 4c5a3ca7..2e9cce8d 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -76,13 +76,13 @@ function startSecureSession($redirectToLogin = true, $initSecureData = false) {
 	// check session id
 	if (! isset($_SESSION["sec_session_id"]) || ($_SESSION["sec_session_id"] != session_id())) {
 		// session id is invalid
-		logNewMessage(LOG_WARNING, "Invalid session ID, access denied (" . $_SERVER['REMOTE_ADDR'] . ")");
+		logNewMessage(LOG_WARNING, "Invalid session ID, access denied (" . getClientIPForLogging() . ")");
 		die();
 	}
 	// check if client IP has not changed
 	if (!isset($_SESSION["sec_client_ip"]) || ($_SESSION["sec_client_ip"] != $_SERVER['REMOTE_ADDR'])) {
 		// IP is invalid
-		logNewMessage(LOG_WARNING, "Client IP changed, access denied (" . $_SERVER['REMOTE_ADDR'] . ")");
+		logNewMessage(LOG_WARNING, "Client IP changed, access denied (" . getClientIPForLogging() . ")");
 		die();
 	}
 	// check if session time has not expired
@@ -133,7 +133,7 @@ function checkClientIP() {
 	}
 	// stop script is client may not access LAM
 	if (!$grantAccess) {
-		logNewMessage(LOG_WARNING, "Invalid client IP, access denied (" . $_SERVER['REMOTE_ADDR'] . ")");
+		logNewMessage(LOG_WARNING, "Invalid client IP, access denied (" . getClientIPForLogging() . ")");
 		die();
 	}
 }
@@ -215,7 +215,7 @@ function logNewMessage($level, $message) {
 	// check if log level is high enough
 	elseif ($cfg->logLevel < $level) return;
 	// ok to log, build log message
-	$prefix = "LDAP Account Manager (" . session_id() . ' - ' . $_SERVER['REMOTE_ADDR'] . ") - " . $possibleLevels[$level] . ": ";
+	$prefix = "LDAP Account Manager (" . session_id() . ' - ' . getClientIPForLogging() . ") - " . $possibleLevels[$level] . ": ";
 	$message = $prefix . $message;
 	// Syslog logging
 	if ($cfg->logDestination == 'SYSLOG') {
@@ -481,4 +481,20 @@ function isLoggedIn() {
 	return (isset($_SESSION['loggedIn']) && ($_SESSION['loggedIn'] === true));
 }
 
+/**
+ * Returns the client IP and comma separated proxy IPs if any (HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP).
+ * 
+ * @return String client IP (e.g. 10.10.10.10,11.11.11.11)
+ */
+function getClientIPForLogging() {
+	$ip = $_SERVER['REMOTE_ADDR'];
+	if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) && (strlen($_SERVER['HTTP_X_FORWARDED_FOR']) < 100)) {
+		$ip .= ',' . $_SERVER['HTTP_X_FORWARDED_FOR'];
+	}
+	if (!empty($_SERVER['HTTP_X_REAL_IP']) && (strlen($_SERVER['HTTP_X_REAL_IP']) < 100)) {
+		$ip .= ',' . $_SERVER['HTTP_X_REAL_IP'];
+	}
+	return $ip;
+}
+
 ?>
\ No newline at end of file