From a8302fb25316661512951fdf744ac1bae6e94ef6 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Tue, 5 Jan 2021 10:17:24 +0300
Subject: [PATCH] use X-Real-IP headers if possible while authenticating

---
 classes/api.php            |  2 +-
 classes/handler/public.php |  2 +-
 classes/logger/sql.php     |  5 ++++-
 classes/userhelper.php     | 11 +++++++++--
 4 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/classes/api.php b/classes/api.php
index 6b857f689..aa39171bf 100755
--- a/classes/api.php
+++ b/classes/api.php
@@ -81,7 +81,7 @@ class API extends Handler {
 				$this->wrap(self::STATUS_OK,	array("session_id" => session_id(),
 					"api_level" => self::API_LEVEL));
 			} else {                                                         // else we are not logged in
-				user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
+				user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING);
 				$this->wrap(self::STATUS_ERR, array("error" => "LOGIN_ERROR"));
 			}
 		} else {
diff --git a/classes/handler/public.php b/classes/handler/public.php
index 4bd9c06f9..86a82cc61 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -714,7 +714,7 @@ class Handler_Public extends Handler {
 				if (!isset($_SESSION["login_error_msg"]))
 					$_SESSION["login_error_msg"] = __("Incorrect username or password");
 
-				user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
+				user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING);
 			}
 
 			$return = clean($_REQUEST['return']);
diff --git a/classes/logger/sql.php b/classes/logger/sql.php
index 1b44b1e5f..c1ea16ef9 100755
--- a/classes/logger/sql.php
+++ b/classes/logger/sql.php
@@ -16,7 +16,10 @@ class Logger_SQL {
 			$context = mb_substr($context, 0, 8192);
 
 			$server_params = [
-				"IP" => "REMOTE_ADDR",
+				"Real IP" => "HTTP_X_REAL_IP",
+				"Forwarded For" => "HTTP_X_FORWARDED_FOR",
+				"Forwarded Protocol" => "HTTP_X_FORWARDED_PROTO",
+				"Remote IP" => "REMOTE_ADDR",
 				"Request URI" => "REQUEST_URI",
 				"User agent" => "HTTP_USER_AGENT",
 			];
diff --git a/classes/userhelper.php b/classes/userhelper.php
index fd0b0ac57..4cc6768db 100644
--- a/classes/userhelper.php
+++ b/classes/userhelper.php
@@ -38,7 +38,7 @@ class UserHelper {
 				$usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?");
 				$usth->execute([$user_id]);
 
-				$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
+				$_SESSION["ip_address"] = UserHelper::get_user_ip();
 				$_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']);
 				$_SESSION["pwd_hash"] = $row["pwd_hash"];
 
@@ -63,7 +63,7 @@ class UserHelper {
 			if (!$_SESSION["csrf_token"])
 				$_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
 
-			$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
+			$_SESSION["ip_address"] = UserHelper::get_user_ip();
 
 			Pref_Prefs::initialize_user_prefs($_SESSION["uid"]);
 
@@ -138,4 +138,11 @@ class UserHelper {
 
 	}
 
+	static function get_user_ip() {
+		foreach (["HTTP_X_REAL_IP", "REMOTE_ADDR", "REMOTEADDR"] as $hdr) {
+			if (isset($_SERVER[$hdr]))
+				return $_SERVER[$hdr];
+		}
+	}
+
 }
-- 
GitLab