Nodebalancer, HTTPS, and remote IP in PHP
We're looking at putting a couple of LAMP application servers behind a nodebalancer using HTTPS (via the TCP option).
The application will need to determine client IPs in PHP, along the lines of
function ipCheck() {
if (getenv('HTTP_CLIENT_IP')) {
$ip = getenv('HTTP_CLIENT_IP');
}
elseif (getenv('HTTP_X_FORWARDED_FOR')) {
$ip = getenv('HTTP_X_FORWARDED_FOR');
}
elseif (getenv('HTTP_X_FORWARDED')) {
$ip = getenv('HTTP_X_FORWARDED');
}
elseif (getenv('HTTP_FORWARDED_FOR')) {
$ip = getenv('HTTP_FORWARDED_FOR');
}
elseif (getenv('HTTP_FORWARDED')) {
$ip = getenv('HTTP_FORWARDED');
}
else {
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}
Reading this post though: http://forum.linode.com/viewtopic.php?p=42704
Thanks
8 Replies
Just because you're paying for the man in the middle doesn't mean he's not a man in the middle
If I had to come up with one possible method to do this right now, it would involve triggering a single, brief, non-blocking HTTPS request directly to a web server under your control (i.e. not load balanced) with an identifier (i.e. a session ID) tying it to the main session. You then have two IP addresses for that session and can eliminate the NodeBalancer one.
Also, based on that code snippet, I'm 99% sure you've never used VHDL.
And no I've never dealt with VHDL, although the code snippet is copypasta to illustrate the point - I didn't write it.
Cheers.
@hoopycat:
If I had to come up with one possible method to do this right now, it would involve triggering a single, brief, non-blocking HTTPS request directly to a web server under your control (i.e. not load balanced) with an identifier (i.e. a session ID) tying it to the main session. You then have two IP addresses for that session and can eliminate the NodeBalancer one.
+1
That's what I would do too, except you don't need to bypass the nodebalancer. If your session has no remote IP set, then redirect the user to a plain http URL where the handler will store the IP and redirect back to https.
You can either have a dedicated URL handler or simply put that at the top of the request chain.
@Azathoth:
+1
That's what I would do too, except you don't need to bypass the nodebalancer. If your session has no remote IP set, then redirect the user to a plain http URL where the handler will store the IP and redirect back to https.
You can either have a dedicated URL handler or simply put that at the top of the request chain.
Except for the fact that that would mean leaving HTTPS. That would be more or less safe for a little Ajax call, but doing a redirect would easily enable SSL stripping attacks.
@mnordhoff:
Except for the fact that that would mean leaving HTTPS. That would be more or less safe for a little Ajax call, but doing a redirect would easily enable SSL stripping attacks.
Technically, yes, but that could be done regardless. SSL is broken anyways.
@Azathoth:
Technically, yes, but that could be done regardless. SSL is broken anyways.
So is the Internet, but we still use it and work around its foibles.
if/elseif/elsehow could I reimplement that as a mux
(That, and the conditions aren't mutually exclusive.)