- Patch #258397 by John Morahan, Dries, R.Muilwijk, Bart Jansens, grendzy, Berdir: IP address identification not broad enough.

includes/bootstrap.inc

@@ -2198,8 +2198,8 @@ function request_path() {
 /**
  * If Drupal is behind a reverse proxy, we use the X-Forwarded-For header
  * instead of $_SERVER['REMOTE_ADDR'], which would be the IP address of
- * the proxy server, and not the client's. If Drupal is run in a cluster
+ * the proxy server, and not the client's. The actual header name can be
- * we use the X-Cluster-Client-Ip header instead.
+ * configured by the reverse_proxy_header variable.
  *
  * @return
  *   IP address of client machine, adjusted for reverse proxy and/or cluster
@@ -2212,7 +2212,8 @@ function ip_address() {
     $ip_address = $_SERVER['REMOTE_ADDR'];
 
     if (variable_get('reverse_proxy', 0)) {
-      if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
+      $reverse_proxy_header = variable_get('reverse_proxy_header', 'HTTP_X_FORWARDED_FOR');
+      if (!empty($_SERVER[$reverse_proxy_header])) {
         // If an array of known reverse proxy IPs is provided, then trust
         // the XFF header if request really comes from one of them.
         $reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array());
@@ -2220,17 +2221,10 @@ function ip_address() {
           // The "X-Forwarded-For" header is a comma+space separated list of IP addresses,
           // the left-most being the farthest downstream client. If there is more than
           // one proxy, we are interested in the most recent one (i.e. last one in the list).
-          $ip_address_parts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
+          $ip_address_parts = explode(',', $_SERVER[$reverse_proxy_header]);
           $ip_address = trim(array_pop($ip_address_parts));
         }
       }
-
-      // When Drupal is run in a cluster environment, REMOTE_ADDR contains the IP
-      // address of a server in the cluster, while the IP address of the client is
-      // stored in HTTP_X_CLUSTER_CLIENT_IP.
-      if (array_key_exists('HTTP_X_CLUSTER_CLIENT_IP', $_SERVER)) {
-        $ip_address = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
-      }
     }
   }
 

modules/simpletest/tests/bootstrap.test

@@ -70,7 +70,8 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase {
       t('Proxy forwarding with trusted proxy got forwarded IP address')
     );
 
-    // Cluster environment.
+    // Custom client-IP header.
+    variable_set('reverse_proxy_header', 'HTTP_X_CLUSTER_CLIENT_IP');
     $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] = $this->cluster_ip;
     drupal_static_reset('ip_address');
     $this->assertTrue(

sites/default/default.settings.php

@@ -284,8 +284,6 @@ ini_set('session.cookie_lifetime', 2000000);
 # $conf['maintenance_theme'] = 'garland';
 
 /**
- * reverse_proxy accepts a boolean value.
- *
  * Enable this setting to determine the correct IP address of the remote
  * client by examining information stored in the X-Forwarded-For headers.
  * X-Forwarded-For headers are a standard mechanism for identifying client
@@ -301,6 +299,15 @@ ini_set('session.cookie_lifetime', 2000000);
  */
 # $conf['reverse_proxy'] = TRUE;
 
+/**
+ * Set this value if your proxy server sends the client IP in a header other
+ * than X-Forwarded-For.
+ *
+ * The "X-Forwarded-For" header is a comma+space separated list of IP addresses,
+ * only the last one (the left-most) will be used.
+ */
+# $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP';
+
 /**
  * reverse_proxy accepts an array of IP addresses.
  *