Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68110

Improvements to source IP detection

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 3.9
    • Administration
    • None
    • MOODLE_39_STABLE

      This is a followup of MDL-67861, where the handling of the X-Forwarded-For headers was improved to a better and safer alternative.

      In that issue, a new setting $CFG->reverseproxyignore was added, allowing sites with multiple levels of reverse proxies / balancers to define which ones can be ignored from the header, strictly picking the first (rightmost) not in the list.

      And that's good vs previous "always leftmost" alternative.

      Irrespectively of that, along the issue, different approaches were commented, noticeable the a real implementation like https://github.com/un33k/django-ipware (shared by fred).

      There are some techniques there, namely (and surely incomplete) like:

      • Whitelisting/defining trustable proxies (external or internal, forward or reverse).
      • Blacklisting private IPs.
      • Look to more headers than just HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR and with a defined precedence order.
      • Provide a way to count how many elements should be skipped
      • Decide between rightmost / leftmost (that can be perfectly perfect in some environments (say corporate intranet or whatever).

      So this issue is about to consider if some of those extra features detecting the source IPs are desirable and, if so, implement them (some/all) in a compatible way with current implementation.

      Ciao

            Unassigned Unassigned
            stronk7 Eloy Lafuente (stronk7)
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.