Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Set correct REMOTE_ADDR in PHP-FPM called from Apache

Tags:

php

nginx

apache

ip

fastcgi

We want to switch from mod_php to fastCGI + PHP-FPM on our Apache server.

We got everyhting in place and working except one thing:

Value in our $_SERVER['REMOTE_ADDR'] is always 127.0.0.1 not IP of client. Is there any way how to configure server to set this variable to client real IP?

We have client real IP in X-Forwarded-For header (passed from proxy)

Basically we need Apache alternative for nginx config: 

fastcgi_param REMOTE_ADDR $http_x_forwarded_for;

( as described here Nginx replace REMOTE_ADDR with X-Forwarded-For)

like image 897
Martin Mystik Jonáš Avatar asked May 04 '15 18:05

Martin Mystik Jonáš

People also ask

Can you use PHP-FPM with Apache?

FPM is a process manager to manage the FastCGI in PHP. Apache ships with mod_php by default and works with all major web servers.

Can $_ server Remote_addr be spoofed?

Any $_SERVER variable can be spoofed - e.g. curl_setopt( $ch, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $ip", "HTTP_X_FORWARDED_FOR: $ip")); So it depends entirely on the context: if the attacker is expecting a response, it will go back to $ip. If they don't care about the response, they can certainly spoof the header.

What is the default port for PHP-FPM?

By default, php-fpm will respond to CGI requests listening on localhost http port 9000. Therefore php-fpm expects your webserver to forward all requests for '. php' files to port 9000 and you should edit your webserver configuration file appropriately.

1 Answers

Solved by adding directive to php.ini:

auto_prepend_file = /etc/php5/rpaf.php

which enable execution of this simple PHP script to normalize headers:

<?php

$trustedProxies = array(
  '127.0.0.1'  
);

$remote = $_SERVER['REMOTE_ADDR'];

$allowedHeaders = array(
  'HTTP_X_FORWARDED_FOR' => 'REMOTE_ADDR',
  'HTTP_X_REAL_IP' => 'REMOTE_HOST',
  'HTTP_X_FORWARDED_PORT' => 'REMOTE_PORT',
  'HTTP_X_FORWARDED_HTTPS' => 'HTTPS',
  'HTTP_X_FORWARDED_SERVER_ADDR' => 'SERVER_ADDR',
  'HTTP_X_FORWARDED_SERVER_NAME' => 'SERVER_NAME',
  'HTTP_X_FORWARDED_SERVER_PORT' => 'SERVER_PORT',
);

if(in_array($remote, $trustedProxies)) {
  foreach($allowedHeaders as $header => $serverVar) {
    if(isSet($_SERVER[$header])) {
      if(isSet($_SERVER[$serverVar])) {
        $_SERVER["ORIGINAL_$serverVar"] = $_SERVER[$serverVar];
      }
      $_SERVER[$serverVar] = $_SERVER[$header];
    }
  }
}
like image 156
Martin Mystik Jonáš Avatar answered Sep 16 '22 15:09

Martin Mystik Jonáš
Sign in to Comment

Related questions

Apache POI: Partial Cell fonts
Apache Benchmark HTTPS failing
.htaccess redirecting when file doesn't exists
mod_expires or mod_headers?
Use Apache cxf with spring mvc in a single application with shared services
mod_fcgid: ap_pass_brigade failed in handle_request function
Installing Laravel in a subfolder [closed]
access xampp/htdocs from outside
Slow initialization of apache cxf client
PHP show results while running
mod_auth_kerb principal parsing error
.htaccess Redirect URLs with UTF 8 chars
Possible security issues of setting Access-Control-Allow-Origin
Solr 4 - missing required field: uuid
How to implement a custom AdapterFactory for Sling Resource?
Django - referencing different settings files from wsgi depending on server
Setting path variable for apache user on Amazon Ec2
Structure of chat application and required technologies
MAMP 3, .htaccess and php_value
Why can not I block a single node.js file in apache?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!