diff options
author | ArthurHoaro <arthur@hoa.ro> | 2016-08-03 10:36:47 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2016-11-05 14:29:52 +0100 |
commit | 3116d8671d388690bac1070e39d2c74d28b14f0e (patch) | |
tree | a310adfe8af2c0bd0c792d914dd7c26bcf9d910e /index.php | |
parent | 4fd053d6b29a1b6724eda17a3daddb29b1bf1ca3 (diff) | |
download | Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.tar.gz Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.tar.zst Shaarli-3116d8671d388690bac1070e39d2c74d28b14f0e.zip |
Add trusted IPs in config and try to ban forwarded IP on failed login
* Add a new settings (which needs to be manually set): `security.trusted_proxies`
* On login failure, if the `REMOTE_ADDR` is in the trusted proxies, try to retrieve the forwarded IP in headers.
* If found, the client address is added in ipbans, else we do nothing.
Fixes #409
Diffstat (limited to 'index.php')
-rw-r--r-- | index.php | 11 |
1 files changed, 10 insertions, 1 deletions
@@ -332,8 +332,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php'); | |||
332 | function ban_loginFailed($conf) | 332 | function ban_loginFailed($conf) |
333 | { | 333 | { |
334 | $ip = $_SERVER['REMOTE_ADDR']; | 334 | $ip = $_SERVER['REMOTE_ADDR']; |
335 | $trusted = $conf->get('security.trusted_proxies', array()); | ||
336 | if (in_array($ip, $trusted)) { | ||
337 | $ip = getIpAddressFromProxy($_SERVER, $trusted); | ||
338 | if (!$ip) { | ||
339 | return; | ||
340 | } | ||
341 | } | ||
335 | $gb = $GLOBALS['IPBANS']; | 342 | $gb = $GLOBALS['IPBANS']; |
336 | if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0; | 343 | if (! isset($gb['FAILURES'][$ip])) { |
344 | $gb['FAILURES'][$ip]=0; | ||
345 | } | ||
337 | $gb['FAILURES'][$ip]++; | 346 | $gb['FAILURES'][$ip]++; |
338 | if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1)) | 347 | if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1)) |
339 | { | 348 | { |