Why does no one care about determining the correct IP address?

HasanMerkit

Flarum websites protected by Cloudflare are detecting incorrect IP addresses. This includes extensions.

I shared solution. Please check my old reply: https://discuss.flarum.org/d/20949-friendsofflarum-ban-ips/115

HasanMerkit

For example in this screenshot, 162.158.87.0/24 is Cloudflare proxy IP addresses. Not my IP address.
Also, some extensions needs update for Cloudflare like FoF Ban IPs

But if we can check and use the "HTTP_CF_CONNECTING_IP" header, we can get real user IP address.

HasanMerkit

I want to share my PHP code for try help developers. My PHP code is helps to find real user IP address by checking more headers.

    function Client_IP(){

        # $_SERVER Header List
        $headers = array(
            'HTTP_CF_CONNECTING_IP', // Cloudflare
            /* Proxy Servers - Start */
            'HTTP_X_FORWARDED_FOR',
            'HTTP_X_FORWARDED',
            'HTTP_X_REAL_IP',
            'HTTP_CLIENT_IP',
            'HTTP_FORWARDED_FOR',
            'HTTP_FORWARDED',
            'HTTP_REAL_IP',
            'HTTP_CLUSTER_CLIENT_IP',
            'X_FORWARDED_FOR',
            'X_PROXYUSER_IP',
            'FORWARDED_FOR',
            'FORWARDED',
            'REAL_IP',
            'CLIENT_IP',
            'CLUSTER_CLIENT_IP',
            'CLIENTIP',
            /* Proxy Servers - End */
            'REMOTE_ADDR'
        );

        # Try get IP address with cheacking headers.
        foreach ($headers as $index) {
            if (isset($_SERVER[$index]) && filter_var($_SERVER[$index], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
                return $_SERVER[$index];
            }
        }
        

        # If IP is ::1, accept this ipv6 address as 127.0.0.1.
        if ( isset($_SERVER["REMOTE_ADDR"]) && $_SERVER["REMOTE_ADDR"] == "::1" ){
            return "127.0.0.1";
        }

        # Detection failed. Return null.
        return null;
    }
?>```

luceos

Just put this at the top of config.php:

if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
}

HasanMerkit

luceos

Actually, there are some PHP codes that I want to be processed on every page.
Is it correct to change this file? How about adding it to index.php?
(The code I will add: require_once("../myphpcodes"); )

clarkwinkelmann It makes more sense to me that a very popular service like Cloudflare could be detected by Flarum software (or at least a extension could be developed). I think Cloudflare is even better than Google in some ways. Also, even the awesome IP address 1.1.1.1 belongs to this company.

clarkwinkelmann

It is not the responsibility of Flarum to restore the IP address, this is a webserver configuration issue.

Cloudflare offers documentation on how you should setup your server to obtain the correct IP in your firewall and logs, even before PHP gets involved.

When reading the IP from a header, you should make sure your server can only be reached by permitted proxy IPs, otherwise a malicious actor can send direct requests to your server and provide any IP value they want using the header. This problem makes it impossible to provide a solution that works out of the box. An extension would need to either be only enabled after the forum owner confirms the IP whitelist is in place, or perform the Cloudflare IP whitelist check on its own (which is possible, but is best to be done at the webserver level rather than PHP).

ernestdefoe

HasanMerkit Is it correct to change this file? How about adding it to index.php?

If I’m not mistaken the config file is pretty much loaded on every page load or at least referenced because if not how does software in general work when it doesn’t know what to connect to as since @luceos said put it in the config file I’m pretty sure it’ll work just fine there.

HasanMerkit

Okey, thanks people! 🥂

HasanMerkit

New problem for me, when i try to add my custom PHP file, my clean Flarum crashes:

For example:

if ( is_file(DIR."/teteosnet_web/system_flarum.php") ){ echo "abcdefg"; }

Result:

abcdefg<br />
Fatal error: Uncaught Laminas\HttpHandlerRunner\Exception\EmitterException: Output has been emitted previously; cannot emit response in C:\Xampp\htdocs\vendor\laminas\laminas-httphandlerrunner\src\Exception\EmitterException.php:20 Stack trace: #0 C:\Xampp\htdocs\vendor\laminas\laminas-httphandlerrunner\src\Emitter\SapiEmitterTrait.php(42): Laminas\HttpHandlerRunner\Exception\EmitterException::forOutputSent() #1 C:\Xampp\htdocs\vendor\laminas\laminas-httphandlerrunner\src\Emitter\SapiEmitter.php(21): Laminas\HttpHandlerRunner\Emitter\SapiEmitter->assertNoPreviousOutput() #2 C:\Xampp\htdocs\vendor\laminas\laminas-httphandlerrunner\src\RequestHandlerRunner.php(75): Laminas\HttpHandlerRunner\Emitter\SapiEmitter->emit(Object(Laminas\Diactoros\Response\HtmlResponse)) #3 C:\Xampp\htdocs\vendor\flarum\core\src\Http\Server.php(45): Laminas\HttpHandlerRunner\RequestHandlerRunner->run() #4 C:\Xampp\htdocs\forum\index.php(26): Flarum\Http\Server->listen() #5 {main} thrown in C:\Xampp\htdocs\vendor\laminas\laminas-httphandlerrunner\src\Exception\EmitterException.php on line 20

SychO

HasanMerkit that's what echo does, it outputs the string which messes up the json response so the app crashes.

HasanMerkit

SychO Apart from using this, if I create variables in system_flarum.php and include them in this line, there will be no problem, right?

Also there should be a place at the top of Flarum to put my own HTML menu (HTML generated with PHP)