We are trying to run ITFlow on a web server in our local network, but we also need to publish it to the Web through our web reverse proxy (NGINX).
We've noticed that setting CONST_GET_IP_METHOD to HTTP_X_FORWARDED_FOR allows Internet users to access out setup remotely, but it also prevents the staff working in our office network to logging in anymore (they receive the "Potential Security Violation" error).
We tried to fix this by changing these lines of the GetIP() function:
|
// Default way to get IP |
|
$ip = $_SERVER['REMOTE_ADDR']; |
|
|
|
// Allow overrides via config.php in-case we use a proxy - https://docs.itflow.org/config_php |
|
if (defined("CONST_GET_IP_METHOD") && CONST_GET_IP_METHOD == "HTTP_X_FORWARDED_FOR") { |
|
$ip = explode(',', getenv('HTTP_X_FORWARDED_FOR'))[0] ?? $_SERVER['REMOTE_ADDR']; |
|
} elseif (defined("CONST_GET_IP_METHOD") && CONST_GET_IP_METHOD == "HTTP_CF_CONNECTING_IP") { |
|
$ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $_SERVER['REMOTE_ADDR']; |
|
} |
This patch should let dynamically understand if the request has been proxed or not, and get the client IP address accordingly:
--- functions.php.orig Sun Jun 7 12:19:06 2026
+++ functions.php Sun Jun 7 12:19:44 2026
@@ -88,14 +88,15 @@
function getIP() {
- // Default way to get IP
- $ip = $_SERVER['REMOTE_ADDR'];
-
- // Allow overrides via config.php in-case we use a proxy - https://docs.itflow.org/config_php
- if (defined("CONST_GET_IP_METHOD") && CONST_GET_IP_METHOD == "HTTP_X_FORWARDED_FOR") {
- $ip = explode(',', getenv('HTTP_X_FORWARDED_FOR'))[0] ?? $_SERVER['REMOTE_ADDR'];
- } elseif (defined("CONST_GET_IP_METHOD") && CONST_GET_IP_METHOD == "HTTP_CF_CONNECTING_IP") {
- $ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $_SERVER['REMOTE_ADDR'];
+ // Dynamic way to get IP
+ if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
+ $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+ } else if (array_key_exists('HTTP_CF_CONNECTING_IP', $_SERVER)) {
+ $ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
+ } else if (array_key_exists('REMOTE_ADDR', $_SERVER)) {
+ $ip = $_SERVER['REMOTE_ADDR'];
+ } else if (array_key_exists('HTTP_CLIENT_IP', $_SERVER)) {
+ $ip = $_SERVER['HTTP_CLIENT_IP'];
}
// Abort if something isn't rightIt looks like working in our environment, thus we'd like to issue a pull request if it complies with your code standards.
And many thanks for providing such a good solution to the community!
We are trying to run ITFlow on a web server in our local network, but we also need to publish it to the Web through our web reverse proxy (NGINX).
We've noticed that setting
CONST_GET_IP_METHODtoHTTP_X_FORWARDED_FORallows Internet users to access out setup remotely, but it also prevents the staff working in our office network to logging in anymore (they receive the "Potential Security Violation" error).We tried to fix this by changing these lines of the
GetIP()function:itflow/functions.php
Lines 91 to 99 in 60563e3
This patch should let dynamically understand if the request has been proxed or not, and get the client IP address accordingly:
It looks like working in our environment, thus we'd like to issue a pull request if it complies with your code standards.
And many thanks for providing such a good solution to the community!