diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc index dfb61e1..fa84d2b 100644 --- a/core/includes/bootstrap.inc +++ b/core/includes/bootstrap.inc @@ -3063,13 +3063,13 @@ function ip_address() { if (!isset($ip_address)) { $ip_address = $_SERVER['REMOTE_ADDR']; - - if (variable_get('reverse_proxy', 0)) { - $reverse_proxy_header = variable_get('reverse_proxy_header', 'HTTP_X_FORWARDED_FOR'); + $proxy_config = config('system.reverse-proxy'); + if ($proxy_config->get('enabled')) { + $reverse_proxy_header = $proxy_config->get('header'); if (!empty($_SERVER[$reverse_proxy_header])) { // If an array of known reverse proxy IPs is provided, then trust // the XFF header if request really comes from one of them. - $reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array()); + $reverse_proxy_addresses = $proxy_config->get('addresses'); // Turn XFF header into an array. $forwarded = explode(',', $_SERVER[$reverse_proxy_header]); diff --git a/core/modules/system/config/system.reverse-proxy.yml b/core/modules/system/config/system.reverse-proxy.yml new file mode 100644 index 0000000..7c98b91 --- /dev/null +++ b/core/modules/system/config/system.reverse-proxy.yml @@ -0,0 +1,3 @@ +enabled: 0 +header: 'HTTP_X_FORWARDED_FOR' +addresses: [] diff --git a/core/modules/system/lib/Drupal/system/Tests/Bootstrap/IpAddressTest.php b/core/modules/system/lib/Drupal/system/Tests/Bootstrap/IpAddressTest.php index a6f87ef..e6d6400 100644 --- a/core/modules/system/lib/Drupal/system/Tests/Bootstrap/IpAddressTest.php +++ b/core/modules/system/lib/Drupal/system/Tests/Bootstrap/IpAddressTest.php @@ -57,15 +57,18 @@ function testIPAddressHost() { 'Got remote IP address.' ); + $reverse_proxy_config = config('system.reverse-proxy'); // Proxy forwarding on but no proxy addresses defined. - variable_set('reverse_proxy', 1); + $reverse_proxy_config->set('enabled', TRUE)->save(); $this->assertTrue( ip_address() == $this->remote_ip, 'Proxy forwarding without trusted proxies got remote IP address.' ); // Proxy forwarding on and proxy address not trusted. - variable_set('reverse_proxy_addresses', array($this->proxy_ip, $this->proxy2_ip)); + $reverse_proxy_config + ->set('addresses', array($this->proxy_ip, $this->proxy2_ip)) + ->save(); drupal_static_reset('ip_address'); $_SERVER['REMOTE_ADDR'] = $this->untrusted_ip; $this->assertTrue( @@ -92,7 +95,9 @@ function testIPAddressHost() { ); // Custom client-IP header. - variable_set('reverse_proxy_header', 'HTTP_X_CLUSTER_CLIENT_IP'); + $reverse_proxy_config + ->set('header', 'HTTP_X_CLUSTER_CLIENT_IP') + ->save(); $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] = $this->cluster_ip; drupal_static_reset('ip_address'); $this->assertTrue( diff --git a/core/modules/system/system.install b/core/modules/system/system.install index d0deae1..fa9d285 100644 --- a/core/modules/system/system.install +++ b/core/modules/system/system.install @@ -2061,6 +2061,7 @@ function system_update_8022() { $schema->dropTable('router'); $schema->createTable('router', $tables['router']); + } /** @@ -2188,6 +2189,19 @@ function system_update_8030() { } /** + * Moves reverse proxy settings from variable to config. + * + * @ingroup config_upgrade + */ +function system_update_8031() { + update_variables_to_config('system.reverse-proxy', array( + 'reverse_proxy' => 'enabled', + 'reverse_proxy_addresses' => 'addresses', + 'reverse_proxy_header' => 'header', + )); +} + +/** * @} End of "defgroup updates-7.x-to-8.x". * The next series of updates should start at 9000. */ diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php index 9b1c7ce..4a13597 100755 --- a/sites/default/default.settings.php +++ b/sites/default/default.settings.php @@ -398,35 +398,36 @@ * malicious client could bypass restrictions by setting the * X-Forwarded-For header directly. Therefore, Drupal's proxy * configuration requires the IP addresses of all remote proxies to be - * specified in $conf['reverse_proxy_addresses'] to work correctly. + * specified in $conf['system.reverse-proxy']['addresses'] to work correctly. * * Enable this setting to get Drupal to determine the client IP from - * the X-Forwarded-For header (or $conf['reverse_proxy_header'] if set). - * If you are unsure about this setting, do not have a reverse proxy, + * the X-Forwarded-For header (or $conf['system.reverse-proxy']['header'] if + * set). If you are unsure about this setting, do not have a reverse proxy, * or Drupal operates in a shared hosting environment, this setting * should remain commented out. * * In order for this setting to be used you must specify every possible - * reverse proxy IP address in $conf['reverse_proxy_addresses']. + * reverse proxy IP address in $conf['system.reverse-proxy']['addresses']. * If a complete list of reverse proxies is not available in your * environment (for example, if you use a CDN) you may set the * $_SERVER['REMOTE_ADDR'] variable directly in settings.php. * Be aware, however, that it is likely that this would allow IP * address spoofing unless more advanced precautions are taken. */ -# $conf['reverse_proxy'] = TRUE; +# $conf['system.reverse-proxy']['enabled'] = TRUE; /** * Specify every reverse proxy IP address in your environment. - * This setting is required if $conf['reverse_proxy'] is TRUE. + * This setting is required if $conf['system.reverse-proxy']['enabled'] is + * TRUE. */ -# $conf['reverse_proxy_addresses'] = array('a.b.c.d', ...); +# $conf['system.reverse-proxy']['addresses'] = array('a.b.c.d', ...); /** * Set this value if your proxy server sends the client IP in a header * other than X-Forwarded-For. */ -# $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP'; +# $conf['system.reverse-proxy']['header'] = 'HTTP_X_CLUSTER_CLIENT_IP'; /** * Page caching: