1
Vote

IP address resolution does not consider HTTP proxy.

description

When proxying (such as when routing http requests by one central apache server towards one of dozens backend web servers), the IP address gets lost.
This is normal behaviour. Therefore a proxy inserts a header x-forwarded-for which contains the original client's IP address.

See http://en.wikipedia.org/wiki/X-Forwarded-For.

Can you please correct this in FormBuilder.ascx.vb:
                If bAddIP = True Then
                    sb.Append("User IP Address: " & Request.UserHostAddress & "<br>")
                End If
should become something like (I don't speak the language):
                If bAddIP = True Then
String clientIpAddresss = Request.getHeaderValue("x-forwarded-for") // Up to first comma when a comma is present.
if clientIpAddress == null then
clientIpAddress = Request.UserHostAddress
end if
                    sb.Append("User IP Address: " & clientIpAddress & "<br>")
                End If

comments

monty24 wrote May 23, 2014 at 4:45 PM

The project might be dead. Therefore a suggested patch after testing in real life. The best solution seems to be to include all IP addresses, since some can be spoofed and some be inserted.

Patch would be:
                    If bAddIP = True Then
                        Dim realIp As String
                        ' Build chain of actual client IP address, followed by all proxies and the last seen IP address.
                        ' The list of client address and proxies is easily forged. Including as many IP addresses helps
                        ' determining the origin.
                        realIp = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
                        If String.IsNullOrEmpty(realIp) Or realIp = "Unknown" Or realIp = "unknown" Then
                            realIp = ""
                        Else
                            realIp = realIp & ", "
                        End If
                        realIp = realIp & Request.UserHostAddress
                        sb.Append("User IP Address List: " & realIp & "<br>")
                    End If