include X-Forward-For info in login history

[jackc]

some of us setup login DA through port 80 instead of 2222 by mod_proxy, If user use port 80 login the login history will show the server ip instead of the user's real ip, it would be nice to include the X-Forward-For info in the login history as well so we can see the user's real ip even he's behind a transparent proxy.

 

[Dravu]

Just a reminder to DA to filter it if they do use it. It's a big mistake used by many people in the PHP community to trust the header when someone could easily fake the header with something else to disrupt/exploit the script.

 

[DirectAdmin Support]

Hello,

Both points do have some valid points... it would be good to know the IP, but we cannot trust headers ever. The correct way would be to use the data from the apache logs to cross reference logins (probably beyond DA), assuming proxy data is logged... (if not, change the logging to have it log proxy relays). The apache info is the only data the knows true location for where a request is coming from.

John

 

[jackc]

i'm currently doing exactly as you said, but it's too much trouble to compare logs. would be nice just to see which ips were logged into DA ealier.