-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
Future Dev
$CFG->getremoteaddrconf should be set correctly and be part of the security check report
This might be hard to correctly check in practice as you need a 3rd party service with a known ip address to access Moodle from the outside and assert that it is seen as that IP address. It may come from an ip range, or the service might be down.
To be fully correct and a bit overkill you also need that service to send some fake headers that Moodle should not be accepting to make sure you can't spoof your ip address ( the defaultĀ
Another complimentary and simpler heuristic is we look at the last 1000 users logins and grab all of their IP's and group them and rank them. If we find that a very large fraction of them have the same IP address then this is a strong indication that Moodle is seeing the IP of a load balancer or cdn / reverse proxy and not the real users IP's. It's not perfect and would need some caveats so this would be a warning not an error.