summaryrefslogtreecommitdiffstats
path: root/sites
diff options
context:
space:
mode:
authorwebchick2011-10-20 06:38:29 (GMT)
committerwebchick2011-10-20 06:38:29 (GMT)
commit629a4dea2fad9f4a5fcb7c68866b25b4077f7ce5 (patch)
tree7984671bec110588f82da4bab87086848e2290e6 /sites
parent362be767ba042b496a47b7e2efb49391553a9b3b (diff)
Issue #1310250 by joelcollinsdc: Fixed Improve reverse proxy ip address handing commenting and documentation.
Diffstat (limited to 'sites')
-rw-r--r--sites/default/default.settings.php60
1 files changed, 34 insertions, 26 deletions
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 8479cf5..f8894aa 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -322,41 +322,49 @@ ini_set('session.cookie_lifetime', 2000000);
# $conf['maintenance_theme'] = 'bartik';
/**
- * Enable this setting to determine the correct IP address of the remote
- * client by examining information stored in the X-Forwarded-For headers.
- * X-Forwarded-For headers are a standard mechanism for identifying client
- * systems connecting through a reverse proxy server, such as Squid or
- * Pound. Reverse proxy servers are often used to enhance the performance
+ * Reverse Proxy Configuration:
+ *
+ * Reverse proxy servers are often used to enhance the performance
* of heavily visited sites and may also provide other site caching,
- * security or encryption benefits. If this Drupal installation operates
- * behind a reverse proxy, this setting should be enabled so that correct
- * IP address information is captured in Drupal's session management,
- * logging, statistics and access management systems; if you are unsure
- * about this setting, do not have a reverse proxy, or Drupal operates in
- * a shared hosting environment, this setting should remain commented out.
+ * security, or encryption benefits. In an environment where Drupal
+ * is behind a reverse proxy, the real IP address of the client should
+ * be determined such that the correct client IP address is available
+ * to Drupal's logging, statistics, and access management systems. In
+ * the most simple scenario, the proxy server will add an
+ * X-Forwarded-For header to the request that contains the client IP
+ * address. However, HTTP headers are vulnerable to spoofing, where a
+ * malicious client could bypass restrictions by setting the
+ * X-Forwarded-For header directly. Therefore, Drupal's proxy
+ * configuration requires the IP addresses of all remote proxies to be
+ * specified in $conf['reverse_proxy_addresses'] to work correctly.
+ *
+ * Enable this setting to get Drupal to determine the client IP from
+ * the X-Forwarded-For header (or $conf['reverse_proxy_header'] if set).
+ * If you are unsure about this setting, do not have a reverse proxy,
+ * or Drupal operates in a shared hosting environment, this setting
+ * should remain commented out.
+ *
+ * In order for this setting to be used you must specify every possible
+ * reverse proxy IP address in $conf['reverse_proxy_addresses'].
+ * If a complete list of reverse proxies is not available in your
+ * environment (for example, if you use a CDN) you may set the
+ * $_SERVER['REMOTE_ADDR'] variable directly in settings.php.
+ * Be aware, however, that it is likely that this would allow IP
+ * address spoofing unless more advanced precautions are taken.
*/
# $conf['reverse_proxy'] = TRUE;
/**
- * Set this value if your proxy server sends the client IP in a header other
- * than X-Forwarded-For.
- *
- * The "X-Forwarded-For" header is a comma+space separated list of IP addresses,
- * only the last one (the left-most) will be used.
+ * Specify every reverse proxy IP address in your environment.
+ * This setting is required if $conf['reverse_proxy'] is TRUE.
*/
-# $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP';
+# $conf['reverse_proxy_addresses'] = array('a.b.c.d', ...);
/**
- * reverse_proxy accepts an array of IP addresses.
- *
- * Each element of this array is the IP address of any of your reverse
- * proxies. Filling this array Drupal will trust the information stored
- * in the X-Forwarded-For headers only if Remote IP address is one of
- * these, that is the request reaches the web server from one of your
- * reverse proxies. Otherwise, the client could directly connect to
- * your web server spoofing the X-Forwarded-For headers.
+ * Set this value if your proxy server sends the client IP in a header
+ * other than X-Forwarded-For.
*/
-# $conf['reverse_proxy_addresses'] = array('a.b.c.d', ...);
+# $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP';
/**
* Page caching: