diff --git a/config.dist.php b/config.dist.php
index dd5993df69a07df655ae00ccc774177a649354d7..f7fea75f7fd5934ffe6edac2c0d10029faac6fe2 100755
--- a/config.dist.php
+++ b/config.dist.php
@@ -30,7 +30,6 @@ $db['webhost'] = '';
Please update these settings before setting 'ssl' to true.
All settings can be commented out or set to NULL if not needed
- php 5.3.7 required
******************************/
$db['ssl'] = false; // true/false, enable or disable SSL as a whole
// $db['ssl_key'] = '/path/to/cert.key'; // path to an SSL key file. Only makes sense combined with ssl_cert
@@ -43,6 +42,21 @@ $db['ssl'] = false; // true/false, enable or
$db['tmptable_engine_type'] = "MEMORY"; // Temporary table type to construct complex queries (MEMORY, InnoDB)
$db['use_cte'] = 1; // Use recursive CTE queries [>=MariaDB 10.2.2, >=MySQL 8.0] (0=disabled, 1=autodetect, 2=force enable)
+/**
+ * Reverse proxy settings
+ *
+ * If operating behind a reverse proxy set $trust_x_forwarded_headers=true; to accept the following headers
+ *
+ * WARNING! These headers shoud be filtered and/or overwritten by the reverse-proxy to avoid potential abuse by end-clients.
+ *
+ * X_FORDWARDED_FOR
+ * X_FORDWARDED_HOST
+ * X_FORDWARDED_PORT
+ * X_FORDWARDED_PROTO
+ * X_FORDWARDED_SSL
+ * X_FORWARDED_URI
+ */
+$trust_x_forwarded_headers = false;
/**
* Mail sending and other parameters for pingCheck and DiscoveryCheck scripts
diff --git a/config.docker.php b/config.docker.php
index f76b837764ac941d69295c922008c2a4ec611851..245b0027adf15777fa635b467dbe3f030567393c 100644
--- a/config.docker.php
+++ b/config.docker.php
@@ -48,6 +48,22 @@ $db['name'] = file_env('IPAM_DATABASE_NAME', $db['name']);
$db['port'] = file_env('IPAM_DATABASE_PORT', $db['port']);
$db['webhost'] = file_env('IPAM_DATABASE_WEBHOST', $db['webhost']);
+/**
+ * Reverse proxy settings
+ *
+ * If operating behind a reverse proxy set IPAM_TRUST_X_FORWARDED=true to accept the following headers
+ *
+ * WARNING! These headers shoud be filtered and/or overwritten by the reverse-proxy to avoid potential abuse by end-clients.
+ *
+ * X_FORDWARDED_FOR
+ * X_FORDWARDED_HOST
+ * X_FORDWARDED_PORT
+ * X_FORDWARDED_PROTO
+ * X_FORDWARDED_SSL
+ * X_FORWARDED_URI
+ */
+$trust_x_forwarded_headers = filter_var(file_env('IPAM_TRUST_X_FORWARDED', $trust_x_forwarded_headers), FILTER_VALIDATE_BOOLEAN);
+
/**
* proxy connection details
******************************/
@@ -82,3 +98,9 @@ $cookie_samesite = file_env('COOKIE_SAMESITE', $cookie_samesite);
* @var string
*/
$session_storage = "database";
+
+
+/**
+ * General tweaks
+ ******************************/
+$config['footer_message'] = file_env('IPAM_FOOTER_MESSAGE', $config['footer_message']);
diff --git a/functions/classes/class.Common.php b/functions/classes/class.Common.php
index 643b7e68106b37c9668d333c791407da998f58a9..83684007febc524ebab6469988b7d0fed85eb171 100644
--- a/functions/classes/class.Common.php
+++ b/functions/classes/class.Common.php
@@ -997,19 +997,20 @@ class Common_functions {
* @return int
*/
private function httpPort() {
- // If only HTTP_X_FORWARDED_PROTO='https' is set assume port=443. Override if required by setting HTTP_X_FORWARDED_PORT
- if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && !isset($_SERVER['HTTP_X_FORWARDED_PORT'])) {
- return ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ? 443 : 80;
- }
- elseif (isset($_SERVER['HTTP_X_FORWARDED_PORT'])) {
- return $_SERVER['HTTP_X_FORWARDED_PORT'];
+ if (Config::ValueOf('trust_x_forwarded_headers') === true) {
+ // If only HTTP_X_FORWARDED_PROTO='https' is set assume port=443. Override if required by setting HTTP_X_FORWARDED_PORT
+ if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && !isset($_SERVER['HTTP_X_FORWARDED_PORT'])) {
+ return ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ? 443 : 80;
+ }
+ if (isset($_SERVER['HTTP_X_FORWARDED_PORT'])) {
+ return $_SERVER['HTTP_X_FORWARDED_PORT'];
+ }
}
- elseif (isset($_SERVER['SERVER_PORT'])) {
+ if (isset($_SERVER['SERVER_PORT'])) {
return $_SERVER['SERVER_PORT'];
}
- else {
- return 80;
- }
+
+ return 80;
}
/**
@@ -1019,21 +1020,22 @@ class Common_functions {
* @return bool
*/
public function isHttps () {
- if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
- return ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https');
- }
- elseif (isset($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') {
- return true;
+ if (Config::ValueOf('trust_x_forwarded_headers') === true) {
+ if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
+ return ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https');
+ }
+ if (isset($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') {
+ return true;
+ }
}
- elseif(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
+ if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
return true;
}
- elseif($this->httpPort() == 443) {
+ if ($this->httpPort() == 443) {
return true;
}
- else {
- return false;
- }
+
+ return false;
}
/**
@@ -1045,8 +1047,11 @@ class Common_functions {
if (php_sapi_name() === "cli")
return null;
- if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP))
- return $_SERVER['HTTP_X_FORWARDED_FOR'];
+ if (Config::ValueOf('trust_x_forwarded_headers') === true) {
+ if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP)) {
+ return $_SERVER['HTTP_X_FORWARDED_FOR'];
+ }
+ }
if (isset($_SERVER['REMOTE_ADDR']) && filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP))
return $_SERVER['REMOTE_ADDR'];
@@ -1063,16 +1068,13 @@ class Common_functions {
public function createURL () {
$proto = $this->isHttps() ? 'https' : 'http';
- if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
+ if (Config::ValueOf('trust_x_forwarded_headers') === true && isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$url = $_SERVER['HTTP_X_FORWARDED_HOST'];
- }
- elseif (isset($_SERVER['HTTP_HOST'])) {
+ } elseif (isset($_SERVER['HTTP_HOST'])) {
$url = $_SERVER['HTTP_HOST'];
- }
- elseif (isset($_SERVER['SERVER_NAME'])) {
+ } elseif (isset($_SERVER['SERVER_NAME'])) {
$url = $_SERVER['SERVER_NAME'];
- }
- else {
+ } else {
$url = "localhost";
}
$host = parse_url("$proto://$url", PHP_URL_HOST) ?: "localhost";
diff --git a/functions/classes/class.User.php b/functions/classes/class.User.php
index 263af2bde30c40232c8f65b8830b059da7082201..8343b94d6221f7a403f8d60a0a5ffa1f452e2a73 100644
--- a/functions/classes/class.User.php
+++ b/functions/classes/class.User.php
@@ -511,8 +511,7 @@ class User extends Common_functions {
return;
}
}
-
- if (isset($_SERVER['HTTP_X_FORWARDED_URI'])) {
+ if (Config::ValueOf('trust_x_forwarded_headers') === true && isset($_SERVER['HTTP_X_FORWARDED_URI'])) {
$uri = $_SERVER['HTTP_X_FORWARDED_URI'];
}
elseif (isset($_SERVER['REQUEST_URI'])) {
diff --git a/misc/CHANGELOG b/misc/CHANGELOG
index 3b1eb54d779a661b5f38bc6f8c73b9ad48931537..27b575cfe3ee400601bbba372891598fb02cc0cf 100755
--- a/misc/CHANGELOG
+++ b/misc/CHANGELOG
@@ -2,8 +2,9 @@
Enhancements, changes:
----------------------------
- + php8.4 compatibility;
+ + php8.3 compatibility;
+ MySQL 5.5.3+ is now required (support for utf8mb4);
+ + Reverse-proxy users should review the new config.php $trust_x_forwarded_headers setting;
Security Fixes:
----------------------------