You are here: Home / 2008 / Archives for November 2008

WordPress – Comments and X_Forwarded_FOR

November 18, 2008 By Leave a Comment
This is a patch to comment.php for a wordpress installation.  Basically if the X_FORWARDED_FOR header is set then the comment is attributed to that IP instead of the IP address of the remote connection.  For those that run WordPress behind a reverse proxy, like Squid, Apache, etc. this is helpful.  Of course this header can be spoofed and thus the only way to really know from which IP the connection came is to check the logs on the proxy server.
Now I guess I could get a little more accurate by having the proxy server insert a custom header and then using the value of that header.  Of course that too could be spoofed, etc..  At the end of the day, having the real IP of the device submitting the comment is not all that important anyway.  Though I like having the value of this header more than I like always having the IP of my proxy server.


+++ comment.php Wed Nov 19 01:13:46 2008
@@ -715,7 +715,22 @@
        $commentdata['comment_post_ID'] = (int) $commentdata['comment_post_ID'];
        $commentdata['user_ID']         = (int) $commentdata['user_ID'];

+/* Original line to get comment users IP
        $commentdata['comment_author_IP'] = preg_replace( '/[^0-9a-fA-F:., ]/', '',$_SERVER['REMOTE_ADDR'] );
+*/
+
+       if ($_SERVER['HTTP_X_FORWARDED_FOR'] != "" ) {
+            $ipAddress = $_SERVER["HTTP_X_FORWARDED_FOR"];
+                if (strpos($ipAddress, ',') !== false) {
+                    $ipAddress = explode(',', $ipAddress);
+                    $ipAddress = $ipAddress[0];
+                }
+
+        } else {
+            $ipAddress = $_SERVER['REMOTE_ADDR'];
+        }
+       $commentdata['comment_author_IP'] = $ipAddress;
+
        $commentdata['comment_agent']     = $_SERVER['HTTP_USER_AGENT'];

        $commentdata['comment_date']     = current_time('mysql');



		

		
Filed Under: Blogs  

	

	


				
WordPress – X-Forwarded-For header

		
		
November 11, 2008  By  2 Comments 
		

			
For those that have not figured it out WordPress is the content management system for this site. I am using a plugin called StatPress.  A “visitor” in the lingo of StatPress is not cookie based (which one could argue it should be, since so many places use web proxies for their clients, myself included) but is based on the client’s IP address.  In my network the web server(s) are front-ended by a proxy server (so yeah I use proxies for my clients and my servers). I checked out WordPress ticket 4602 but apparently this has not made it into the code base yet.  I am an outsider with respect to WordPress development and plugin writing, but I think the plugins should be asking the core for things like client IP, etc..  This means one place to maintain, sanitize this information.


Anyways the code below is what I cobbled together into statpress.php file so that the “real” IP address of the client is seen by Statpress and thus my statistics are slightly more accurate. :) 


--- statpress.php       Wed Nov 12 04:30:35 2008
+++ statpress.php.new   Wed Nov 12 04:41:29 2008
@@ -1131,7 +1131,23 @@
        $vtime  = gmdate("H:i:s",$timestamp);

        // IP
-    $ipAddress = $_SERVER['REMOTE_ADDR'];
+
+        if ($_SERVER['HTTP_X_FORWARDED_FOR'] != "" ) {
+            $ipAddress = $_SERVER["HTTP_X_FORWARDED_FOR"];
+                if (strpos($ipAddress, ',') !== false) {
+                    $ipAddress = explode(',', $ipAddress);
+                    $ipAddress = $ipAddress[0];
+                }
+
+        } else {
+            $ipAddress = $_SERVER['REMOTE_ADDR'];
+        }
+
+
+
+
+
+
     if(iriCheckBanIP($ipAddress) == '') { return ''; }

        // URL (requested)
@@ -1320,8 +1336,20 @@
                $body = str_replace("%browser%", $browser, $body);
        }
        if(strpos(strtolower($body),"%ip%") !== FALSE) {
-           $ipAddress = $_SERVER['REMOTE_ADDR'];
-               $body = str_replace("%ip%", $ipAddress, $body);
+
+        if ($_SERVER['HTTP_X_FORWARDED_FOR'] != "" ) {
+            $ipAddress = $_SERVER["HTTP_X_FORWARDED_FOR"];
+                if (strpos($ipAddress, ',') !== false) {
+                    $ipAddress = explode(',', $ipAddress);
+                    $ipAddress = $ipAddress[0];
+                }
+
+        } else {
+            $ipAddress = $_SERVER['REMOTE_ADDR'];
+        }
+
+
+       $body = str_replace("%ip%", $ipAddress, $body);
        }
        if(strpos(strtolower($body),"%visitorsonline%") !== FALSE) {
                $to_time = current_time('timestamp');



If you find this helpful, please leave me a comment.  If anyone understands Italian and wants to send this over to the author of the plugin, please do and let me know.  I also need to now go hack the comments code so it does the same thing.  Of course then also package up both of these modifications so I can incorporate them in my future wordpress installs.

		

		
Filed Under: Blogs  Tagged With: , ,