From 47efedf23cc45bb2425a183bcc1ac998380c45c4 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Fri, 18 Sep 2015 22:31:01 +0200 Subject: [PATCH] traffic limiter would fail behind a reverse proxy / load balancer. Adding configuration option to set the trusted HTTP header to get the visitors IP in such a case (avoiding security issue if malicious clients just set these headers themselfs) --- cfg/conf.ini | 6 ++++++ lib/zerobin.php | 11 ++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/cfg/conf.ini b/cfg/conf.ini index 31225812..dff69c15 100644 --- a/cfg/conf.ini +++ b/cfg/conf.ini @@ -71,6 +71,12 @@ markdown = "Markdown" ; time limit between calls from the same IP address in seconds ; Set this to 0 to disable rate limiting. limit = 10 + +; (optional) if your website runs behind a reverse proxy or load balancer, +; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR +; header = "X_FORWARDED_FOR" + +; directory to store the traffic limits in dir = PATH "data" [model] diff --git a/lib/zerobin.php b/lib/zerobin.php index 7d0b2cfd..5de27105 100644 --- a/lib/zerobin.php +++ b/lib/zerobin.php @@ -223,7 +223,16 @@ class zerobin // Make sure last paste from the IP address was more than X seconds ago. trafficlimiter::setLimit($this->_conf['traffic']['limit']); trafficlimiter::setPath($this->_conf['traffic']['dir']); - if (!trafficlimiter::canPass($_SERVER['REMOTE_ADDR'])) + $ipKey = 'REMOTE_ADDR'; + if (array_key_exists('header', $this->_conf['traffic'])) + { + $header = 'HTTP_' . $this->_conf['traffic']['header']; + if (array_key_exists($header, $_SERVER) && !empty($_SERVER[$header])) + { + $ipKey = $header; + } + } + if (!trafficlimiter::canPass($_SERVER[$ipKey])) { $this->_return_message( 1,