Add trusted IPs in config and try to ban forwarded IP on failed login

* Add a new settings (which needs to be manually set): `security.trusted_proxies` * On login failure, if the `REMOTE_ADDR` is in the trusted proxies, try to retrieve the forwarded IP in headers. * If found, the client address is added in ipbans, else we do nothing. Fixes #409
author: ArthurHoaro <arthur@hoa.ro> 2016-08-03 10:36:47 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2016-11-05 14:29:52 +0100
commit: 3116d8671d388690bac1070e39d2c74d28b14f0e (patch)
tree: a310adfe8af2c0bd0c792d914dd7c26bcf9d910e /application
parent: 4fd053d6b29a1b6724eda17a3daddb29b1bf1ca3 (diff)
download: Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.tar.gz
Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.tar.zst
Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.zip
1 files changed, 26 insertions, 0 deletions
diff --git a/application/HttpUtils.php b/application/HttpUtils.php
index 27a39d3d..e705cfd6 100644
--- a/application/HttpUtils.php
+++ b/application/HttpUtils.php
@@ -355,3 +355,29 @@ function page_url($server)
    }
    return index_url($server);
 }
+/**
+ * Retrieve the initial IP forwarded by the reverse proxy.
+ *
+ * Inspired from: https://github.com/zendframework/zend-http/blob/master/src/PhpEnvironment/RemoteAddress.php
+ *
+ * @param array $server     $_SERVER array which contains HTTP headers.
+ * @param array $trustedIps List of trusted IP from the configuration.
+ *
+ * @return string|bool The forwarded IP, or false if none could be extracted.
+ */
+function getIpAddressFromProxy($server, $trustedIps)
+{
+    $forwardedIpHeader = 'HTTP_X_FORWARDED_FOR';
+    if (empty($server[$forwardedIpHeader])) {
+        return false;
+    }
+    $ips = preg_split('/\s*,\s*/', $server[$forwardedIpHeader]);
+    $ips = array_diff($ips, $trustedIps);
+    if (empty($ips)) {
+        return false;
+    }
+    return array_pop($ips);
+}
author	ArthurHoaro <arthur@hoa.ro>	2016-08-03 10:36:47 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2016-11-05 14:29:52 +0100
commit	3116d8671d388690bac1070e39d2c74d28b14f0e (patch)
tree	a310adfe8af2c0bd0c792d914dd7c26bcf9d910e /application
parent	4fd053d6b29a1b6724eda17a3daddb29b1bf1ca3 (diff)
download	Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.tar.gz Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.tar.zst Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.zip

diff --git a/application/HttpUtils.php b/application/HttpUtils.php index 27a39d3d..e705cfd6 100644 --- a/application/HttpUtils.php +++ b/application/HttpUtils.php
@@ -355,3 +355,29 @@ function page_url($server)
355	}	355	}
356	return index_url($server);	356	return index_url($server);
357	}	357	}
		358
		359	/**
		360	* Retrieve the initial IP forwarded by the reverse proxy.
		361	*
		362	* Inspired from: https://github.com/zendframework/zend-http/blob/master/src/PhpEnvironment/RemoteAddress.php
		363	*
		364	* @param array $server $_SERVER array which contains HTTP headers.
		365	* @param array $trustedIps List of trusted IP from the configuration.
		366	*
		367	* @return string\|bool The forwarded IP, or false if none could be extracted.
		368	*/
		369	function getIpAddressFromProxy($server, $trustedIps)
		370	{
		371	$forwardedIpHeader = 'HTTP_X_FORWARDED_FOR';
		372	if (empty($server[$forwardedIpHeader])) {
		373	return false;
		374	}
		375
		376	$ips = preg_split('/\s,\s/', $server[$forwardedIpHeader]);
		377	$ips = array_diff($ips, $trustedIps);
		378	if (empty($ips)) {
		379	return false;
		380	}
		381
		382	return array_pop($ips);
		383	}