diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php index a8fe52b..af61ad2 100644 --- a/sites/default/default.settings.php +++ b/sites/default/default.settings.php @@ -322,41 +322,58 @@ ini_set('session.cookie_lifetime', 2000000); # $conf['maintenance_theme'] = 'bartik'; /** - * Enable this setting to determine the correct IP address of the remote - * client by examining information stored in the X-Forwarded-For headers. - * X-Forwarded-For headers are a standard mechanism for identifying client - * systems connecting through a reverse proxy server, such as Squid or - * Pound. Reverse proxy servers are often used to enhance the performance + * Reverse Proxy Configuration: + * + * Reverse proxy servers are often used to enhance the performance * of heavily visited sites and may also provide other site caching, - * security or encryption benefits. If this Drupal installation operates - * behind a reverse proxy, this setting should be enabled so that correct - * IP address information is captured in Drupal's session management, - * logging, statistics and access management systems; if you are unsure - * about this setting, do not have a reverse proxy, or Drupal operates in - * a shared hosting environment, this setting should remain commented out. + * security, or encryption benefits. In an environment where Drupal + * is behind a reverse proxy, the real IP address of the client should + * be determined such that the correct client IP address is available + * to Drupal's logging, statistics, and access management systems. In + * the most simple scenario, the proxy server will add an + * X-Forwarded-For header to the request that contains the client IP + * address. However, HTTP headers are vulnerable to spoofing, where a + * malicious client could bypass restrictions by settings the + * X-Forwarded-For header directly. Therefore, Drupal's proxy + * configuration is more controlled than simply specifying which + * header contains the trusted client IP address. + * + * Enable this setting to use the default logic for determining the + * true client IP address. If you are unsure about this setting, do not + * have a reverse proxy, or Drupal operates in a shared hosting + * environment, this setting should remain commented out. + * + * If this setting is TRUE, you must know every possible reverse proxy IP + * address. The following logic is used to determine the true remote IP + * address: + * + * 1) The header in $conf['reverse_proxy_header'] (or X-Forwarded-For, + * if this is not set). + * 2) The IP in $_SERVER['REMOTE_ADDR'] is pushed onto the end + * 3) All IP's in $conf['reverse_proxy_adresses'] are removed + * 4) The rightmost IP address remaining + * + * The above logic only works if you know every possible proxy server + * IP address. If this logic does not work in your environment, for + * example, if you use a CDN, you may set the $_SERVER['REMOTE_ADDR'] + * variable directly in settings.php. Beware, however, that it is + * likely that this would allow IP address spoofing unless more + * advanced precautions are taken. */ # $conf['reverse_proxy'] = TRUE; /** - * Set this value if your proxy server sends the client IP in a header other - * than X-Forwarded-For. + * Specify every reverse proxy IP address in your environment * - * The "X-Forwarded-For" header is a comma+space separated list of IP addresses, - * only the last one (the left-most) will be used. + * This setting is required if $conf['reverse_proxy'] is TRUE. */ -# $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP'; +# $conf['reverse_proxy_addresses'] = array('a.b.c.d', ...); /** - * reverse_proxy accepts an array of IP addresses. - * - * Each element of this array is the IP address of any of your reverse - * proxies. Filling this array Drupal will trust the information stored - * in the X-Forwarded-For headers only if Remote IP address is one of - * these, that is the request reaches the web server from one of your - * reverse proxies. Otherwise, the client could directly connect to - * your web server spoofing the X-Forwarded-For headers. + * Set this value if your proxy server sends the client IP in a header + * other than X-Forwarded-For. */ -# $conf['reverse_proxy_addresses'] = array('a.b.c.d', ...); +# $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP'; /** * Page caching: