How to get real IP from behind Sucuri firewallMagento2: Re-direct to custom URL from observermagento 2 : Get country from IP addressmagento 2.1: Is it possible to make the admin page url work from two seperate URLs?How to get Geo IP of customer in magento2?Exclude subfolders from geoip redirectHow can disable the cache for some block in Magento 2

Why was Germany not as successful as other Europeans in establishing overseas colonies?

Why do games have consumables?

Is there really no use for MD5 anymore?

How to get a plain text file version of a CP/M .BAS (M-BASIC) program?

How to creep the reader out with what seems like a normal person?

Is there an official tutorial for installing Ubuntu 18.04+ on a device with an SSD and an additional internal hard drive?

Who is the Umpire in this picture?

Combinable filters

How come there are so many candidates for the 2020 Democratic party presidential nomination?

French for 'It must be my imagination'?

Why is it that the natural deduction method can't test for invalidity?

Is there any limitation with Arduino Nano serial communication distance?

What's the polite way to say "I need to urinate"?

Binary Numbers Magic Trick

simple conditions equation

Error message with tabularx

What are the potential pitfalls when using metals as a currency?

Sci fi novel series with instant travel between planets through gates. A river runs through the gates

What is the most expensive material in the world that could be used to create Pun-Pun's lute?

Examples of subgroups where it's nontrivial to show closure under multiplication?

Critique of timeline aesthetic

Is it possible to determine the symmetric encryption method used by output size?

What is the difference between `command a[bc]d` and `command `ab,cd`

What is the relationship between spectral sequences and obstruction theory?



How to get real IP from behind Sucuri firewall


Magento2: Re-direct to custom URL from observermagento 2 : Get country from IP addressmagento 2.1: Is it possible to make the admin page url work from two seperate URLs?How to get Geo IP of customer in magento2?Exclude subfolders from geoip redirectHow can disable the cache for some block in Magento 2






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















I have a Magento store on an Ngix behind Sucuri firewall and we hide prices if the IP is outside of UK.
A bruteforce attack was bypassing the firewall so the hosting added the following rules to prevent bypass:



 location / 
 allow 192.88.134.0/23;
 allow 185.93.228.0/22;
 allow 2a02:fe80::/29;
 allow 66.248.200.0/22;
 deny all;
 # Existing NGINX rules


This works fine except that all IPs are transalted as the firewall one based in UK. To get the real IP Sucuri suggested to add the following:



 # Define header with original client IP
 real_ip_header X-Forwarded-For;
 # Define trusted Firewall IPs
 set_real_ip_from 192.88.134.0/23;
 set_real_ip_from 185.93.228.0/22;
 set_real_ip_from 66.248.200.0/22;
 set_real_ip_from 2a02:fe80::/29; # this line can be removed if IPv6 is 
 disabled


This second rule causes a problem. Once the IP is translated and if it is different than the allowed Sucuri IP addresses, the requests is restricted with 403 Forbidden error.



Is it impossible to have the store behind a firewall and still get the real IP. I am sure that this is not the only store in the world behind a firewall, which needs to server different content depending on the IP.
The code in Magento that gets the IP of the client is something like this:



 $geoIP = Mage::getSingleton('geoip/country'); 

 if ($geoIP->isCountryAllowed()) {....


Any alternative? SOlution? My hosting provider is useless..






geoip







share|improve this question






















  • Does that mean the users' real IP is now received in the $_SERVER variable under the header $_SERVER['HTTP_X_FORWARDED_FOR'] whereas the $_SERVER[“REMOTE_ADDR”] is the WAF IP(Web Application Firewall IP) - If yes, Magento can be configured to work correctly.

    – Dilhan Maduranga
    Mar 11 '18 at 15:15












  • Can you elaborate and explain how please?

    – Shakamal
    Mar 11 '18 at 19:30

















0















I have a Magento store on an Ngix behind Sucuri firewall and we hide prices if the IP is outside of UK.
A bruteforce attack was bypassing the firewall so the hosting added the following rules to prevent bypass:



 location / 
 allow 192.88.134.0/23;
 allow 185.93.228.0/22;
 allow 2a02:fe80::/29;
 allow 66.248.200.0/22;
 deny all;
 # Existing NGINX rules


This works fine except that all IPs are transalted as the firewall one based in UK. To get the real IP Sucuri suggested to add the following:



 # Define header with original client IP
 real_ip_header X-Forwarded-For;
 # Define trusted Firewall IPs
 set_real_ip_from 192.88.134.0/23;
 set_real_ip_from 185.93.228.0/22;
 set_real_ip_from 66.248.200.0/22;
 set_real_ip_from 2a02:fe80::/29; # this line can be removed if IPv6 is 
 disabled


This second rule causes a problem. Once the IP is translated and if it is different than the allowed Sucuri IP addresses, the requests is restricted with 403 Forbidden error.



Is it impossible to have the store behind a firewall and still get the real IP. I am sure that this is not the only store in the world behind a firewall, which needs to server different content depending on the IP.
The code in Magento that gets the IP of the client is something like this:



 $geoIP = Mage::getSingleton('geoip/country'); 

 if ($geoIP->isCountryAllowed()) {....


Any alternative? SOlution? My hosting provider is useless..






geoip







share|improve this question






















  • Does that mean the users' real IP is now received in the $_SERVER variable under the header $_SERVER['HTTP_X_FORWARDED_FOR'] whereas the $_SERVER[“REMOTE_ADDR”] is the WAF IP(Web Application Firewall IP) - If yes, Magento can be configured to work correctly.

    – Dilhan Maduranga
    Mar 11 '18 at 15:15












  • Can you elaborate and explain how please?

    – Shakamal
    Mar 11 '18 at 19:30













0












0








0








I have a Magento store on an Ngix behind Sucuri firewall and we hide prices if the IP is outside of UK.
A bruteforce attack was bypassing the firewall so the hosting added the following rules to prevent bypass:



 location / 
 allow 192.88.134.0/23;
 allow 185.93.228.0/22;
 allow 2a02:fe80::/29;
 allow 66.248.200.0/22;
 deny all;
 # Existing NGINX rules


This works fine except that all IPs are transalted as the firewall one based in UK. To get the real IP Sucuri suggested to add the following:



 # Define header with original client IP
 real_ip_header X-Forwarded-For;
 # Define trusted Firewall IPs
 set_real_ip_from 192.88.134.0/23;
 set_real_ip_from 185.93.228.0/22;
 set_real_ip_from 66.248.200.0/22;
 set_real_ip_from 2a02:fe80::/29; # this line can be removed if IPv6 is 
 disabled


This second rule causes a problem. Once the IP is translated and if it is different than the allowed Sucuri IP addresses, the requests is restricted with 403 Forbidden error.



Is it impossible to have the store behind a firewall and still get the real IP. I am sure that this is not the only store in the world behind a firewall, which needs to server different content depending on the IP.
The code in Magento that gets the IP of the client is something like this:



 $geoIP = Mage::getSingleton('geoip/country'); 

 if ($geoIP->isCountryAllowed()) {....


Any alternative? SOlution? My hosting provider is useless..






geoip







share|improve this question














I have a Magento store on an Ngix behind Sucuri firewall and we hide prices if the IP is outside of UK.
A bruteforce attack was bypassing the firewall so the hosting added the following rules to prevent bypass:



 location / 
 allow 192.88.134.0/23;
 allow 185.93.228.0/22;
 allow 2a02:fe80::/29;
 allow 66.248.200.0/22;
 deny all;
 # Existing NGINX rules


This works fine except that all IPs are transalted as the firewall one based in UK. To get the real IP Sucuri suggested to add the following:



 # Define header with original client IP
 real_ip_header X-Forwarded-For;
 # Define trusted Firewall IPs
 set_real_ip_from 192.88.134.0/23;
 set_real_ip_from 185.93.228.0/22;
 set_real_ip_from 66.248.200.0/22;
 set_real_ip_from 2a02:fe80::/29; # this line can be removed if IPv6 is 
 disabled


This second rule causes a problem. Once the IP is translated and if it is different than the allowed Sucuri IP addresses, the requests is restricted with 403 Forbidden error.



Is it impossible to have the store behind a firewall and still get the real IP. I am sure that this is not the only store in the world behind a firewall, which needs to server different content depending on the IP.
The code in Magento that gets the IP of the client is something like this:



 $geoIP = Mage::getSingleton('geoip/country'); 

 if ($geoIP->isCountryAllowed()) {....


Any alternative? SOlution? My hosting provider is useless..






geoip




geoip






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 11 '18 at 14:14









ShakamalShakamal

388




388












  • Does that mean the users' real IP is now received in the $_SERVER variable under the header $_SERVER['HTTP_X_FORWARDED_FOR'] whereas the $_SERVER[“REMOTE_ADDR”] is the WAF IP(Web Application Firewall IP) - If yes, Magento can be configured to work correctly.

    – Dilhan Maduranga
    Mar 11 '18 at 15:15












  • Can you elaborate and explain how please?

    – Shakamal
    Mar 11 '18 at 19:30

















  • Does that mean the users' real IP is now received in the $_SERVER variable under the header $_SERVER['HTTP_X_FORWARDED_FOR'] whereas the $_SERVER[“REMOTE_ADDR”] is the WAF IP(Web Application Firewall IP) - If yes, Magento can be configured to work correctly.

    – Dilhan Maduranga
    Mar 11 '18 at 15:15












  • Can you elaborate and explain how please?

    – Shakamal
    Mar 11 '18 at 19:30
















Does that mean the users' real IP is now received in the $_SERVER variable under the header $_SERVER['HTTP_X_FORWARDED_FOR'] whereas the $_SERVER[“REMOTE_ADDR”] is the WAF IP(Web Application Firewall IP) - If yes, Magento can be configured to work correctly.

– Dilhan Maduranga
Mar 11 '18 at 15:15






Does that mean the users' real IP is now received in the $_SERVER variable under the header $_SERVER['HTTP_X_FORWARDED_FOR'] whereas the $_SERVER[“REMOTE_ADDR”] is the WAF IP(Web Application Firewall IP) - If yes, Magento can be configured to work correctly.

– Dilhan Maduranga
Mar 11 '18 at 15:15














Can you elaborate and explain how please?

– Shakamal
Mar 11 '18 at 19:30





Can you elaborate and explain how please?

– Shakamal
Mar 11 '18 at 19:30










2 Answers
2






active

oldest

votes


















1














We hit the same issue, when trying to apply the suggested "Block Sucuri Bypass"



location / 
 # Block everything that isn't sucuri
 allow 192.88.134.0/23;
 allow 185.93.228.0/22;
 allow 2a02:fe80::/29;
 allow 66.248.200.0/22;
 deny all;

 # other nginx config



As this was below the already configured:



# Define header with original client IP
real_ip_header X-Forwarded-For;
# Define trusted IPs
set_real_ip_from 192.88.134.0/23;
set_real_ip_from 185.93.228.0/22;
set_real_ip_from 66.248.200.0/22;
set_real_ip_from 2a02:fe80::/29;


Magento 1



So long as the code uses the core method:



Mage::helper('core/http')->getRemoteAddr()


You can add a list of headers to app/etc/local.xml inside of config->global node that are used to determine the "real" ip. Something like:



<remote_addr_headers>
 <header1>HTTP_X_SUCURI_CLIENTIP</header1>
 <header2>HTTP_X_REAL_IP</header2>
 <header3>HTTP_X_FORWARDED_FOR</header3>
</remote_addr_headers>


Then you can remove the real_ip_header and set_real_ip_from from the nginx config. Allowing all traffic not from Sucuri to be blocked and still able to obtain the true IP within magento. You can test this with something like:



define('MAGENTO_ROOT', getcwd());
$mageFilename = MAGENTO_ROOT . '/app/Mage.php';
require MAGENTO_ROOT . '/app/bootstrap.php';
require_once $mageFilename;

Mage::app('admin');
print_r($_SERVER);
echo 'address: '.Mage::helper('core/http')->getRemoteAddr();


Magento 2



This appears to a little harder, I haven't dug as deep but on initial look.

- vendor/magento/framework/Session/Validator.php

is sensitive to configuration, on if it should use: http_x_forwarded_for or remote_addr

- vendor/magento/framework/HTTP/PhpEnvironment/Request.php:725

has the method getClientIp which appears to use the first it finds from HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, REMOTE_ADDR

- vendor/magento/magento2-base/pub/errors/processor.php:312

had the method _getClientIp which uses REMOTE_ADDR and if that isn't found returns undefined



I may be wrong but I haven't spotted anywhere a single value can be configured, or a list to try. So at this point would suggest adding something like the following to app/etc/bootstrap.php



$trustedIpHeaders = [
 'HTTP_X_SUCURI_CLIENTIP', 
 'HTTP_X_REAL_IP',
 'HTTP_X_FORWARDED_FOR',
];
$headersToPopulate = [
 'HTTP_CLIENT_IP',
 'HTTP_X_FORWARDED_FOR',
 'REMOTE_ADDR',
];
foreach($trustedIpHeaders as $trustedIpHeader)
 if(isset($_SERVER[$trustedIpHeader]))
 foreach($headersToPopulate as $headerToPopulate)
 $_SERVER[$headerToPopulate] = $_SERVER[$trustedIpHeader]
 
 break;






share|improve this answer






























    0














    For all those who come across the same issue and try to get an answer from sucuri or hopeless hosting providers like siteground, this is what worked for me. I put the following code at the very beginning of Magento index.php:



    if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
     {
     $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];





    share|improve this answer























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "479"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f216873%2fhow-to-get-real-ip-from-behind-sucuri-firewall%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      1














      We hit the same issue, when trying to apply the suggested "Block Sucuri Bypass"



      location / 
       # Block everything that isn't sucuri
       allow 192.88.134.0/23;
       allow 185.93.228.0/22;
       allow 2a02:fe80::/29;
       allow 66.248.200.0/22;
       deny all;

       # other nginx config



      As this was below the already configured:



      # Define header with original client IP
      real_ip_header X-Forwarded-For;
      # Define trusted IPs
      set_real_ip_from 192.88.134.0/23;
      set_real_ip_from 185.93.228.0/22;
      set_real_ip_from 66.248.200.0/22;
      set_real_ip_from 2a02:fe80::/29;


      Magento 1



      So long as the code uses the core method:



      Mage::helper('core/http')->getRemoteAddr()


      You can add a list of headers to app/etc/local.xml inside of config->global node that are used to determine the "real" ip. Something like:



      <remote_addr_headers>
       <header1>HTTP_X_SUCURI_CLIENTIP</header1>
       <header2>HTTP_X_REAL_IP</header2>
       <header3>HTTP_X_FORWARDED_FOR</header3>
      </remote_addr_headers>


      Then you can remove the real_ip_header and set_real_ip_from from the nginx config. Allowing all traffic not from Sucuri to be blocked and still able to obtain the true IP within magento. You can test this with something like:



      define('MAGENTO_ROOT', getcwd());
      $mageFilename = MAGENTO_ROOT . '/app/Mage.php';
      require MAGENTO_ROOT . '/app/bootstrap.php';
      require_once $mageFilename;

      Mage::app('admin');
      print_r($_SERVER);
      echo 'address: '.Mage::helper('core/http')->getRemoteAddr();


      Magento 2



      This appears to a little harder, I haven't dug as deep but on initial look.

      - vendor/magento/framework/Session/Validator.php

      is sensitive to configuration, on if it should use: http_x_forwarded_for or remote_addr

      - vendor/magento/framework/HTTP/PhpEnvironment/Request.php:725

      has the method getClientIp which appears to use the first it finds from HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, REMOTE_ADDR

      - vendor/magento/magento2-base/pub/errors/processor.php:312

      had the method _getClientIp which uses REMOTE_ADDR and if that isn't found returns undefined



      I may be wrong but I haven't spotted anywhere a single value can be configured, or a list to try. So at this point would suggest adding something like the following to app/etc/bootstrap.php



      $trustedIpHeaders = [
       'HTTP_X_SUCURI_CLIENTIP', 
       'HTTP_X_REAL_IP',
       'HTTP_X_FORWARDED_FOR',
      ];
      $headersToPopulate = [
       'HTTP_CLIENT_IP',
       'HTTP_X_FORWARDED_FOR',
       'REMOTE_ADDR',
      ];
      foreach($trustedIpHeaders as $trustedIpHeader)
       if(isset($_SERVER[$trustedIpHeader]))
       foreach($headersToPopulate as $headerToPopulate)
       $_SERVER[$headerToPopulate] = $_SERVER[$trustedIpHeader]
       
       break;






      share|improve this answer



























        1














        We hit the same issue, when trying to apply the suggested "Block Sucuri Bypass"



        location / 
         # Block everything that isn't sucuri
         allow 192.88.134.0/23;
         allow 185.93.228.0/22;
         allow 2a02:fe80::/29;
         allow 66.248.200.0/22;
         deny all;

         # other nginx config



        As this was below the already configured:



        # Define header with original client IP
        real_ip_header X-Forwarded-For;
        # Define trusted IPs
        set_real_ip_from 192.88.134.0/23;
        set_real_ip_from 185.93.228.0/22;
        set_real_ip_from 66.248.200.0/22;
        set_real_ip_from 2a02:fe80::/29;


        Magento 1



        So long as the code uses the core method:



        Mage::helper('core/http')->getRemoteAddr()


        You can add a list of headers to app/etc/local.xml inside of config->global node that are used to determine the "real" ip. Something like:



        <remote_addr_headers>
         <header1>HTTP_X_SUCURI_CLIENTIP</header1>
         <header2>HTTP_X_REAL_IP</header2>
         <header3>HTTP_X_FORWARDED_FOR</header3>
        </remote_addr_headers>


        Then you can remove the real_ip_header and set_real_ip_from from the nginx config. Allowing all traffic not from Sucuri to be blocked and still able to obtain the true IP within magento. You can test this with something like:



        define('MAGENTO_ROOT', getcwd());
        $mageFilename = MAGENTO_ROOT . '/app/Mage.php';
        require MAGENTO_ROOT . '/app/bootstrap.php';
        require_once $mageFilename;

        Mage::app('admin');
        print_r($_SERVER);
        echo 'address: '.Mage::helper('core/http')->getRemoteAddr();


        Magento 2



        This appears to a little harder, I haven't dug as deep but on initial look.

        - vendor/magento/framework/Session/Validator.php

        is sensitive to configuration, on if it should use: http_x_forwarded_for or remote_addr

        - vendor/magento/framework/HTTP/PhpEnvironment/Request.php:725

        has the method getClientIp which appears to use the first it finds from HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, REMOTE_ADDR

        - vendor/magento/magento2-base/pub/errors/processor.php:312

        had the method _getClientIp which uses REMOTE_ADDR and if that isn't found returns undefined



        I may be wrong but I haven't spotted anywhere a single value can be configured, or a list to try. So at this point would suggest adding something like the following to app/etc/bootstrap.php



        $trustedIpHeaders = [
         'HTTP_X_SUCURI_CLIENTIP', 
         'HTTP_X_REAL_IP',
         'HTTP_X_FORWARDED_FOR',
        ];
        $headersToPopulate = [
         'HTTP_CLIENT_IP',
         'HTTP_X_FORWARDED_FOR',
         'REMOTE_ADDR',
        ];
        foreach($trustedIpHeaders as $trustedIpHeader)
         if(isset($_SERVER[$trustedIpHeader]))
         foreach($headersToPopulate as $headerToPopulate)
         $_SERVER[$headerToPopulate] = $_SERVER[$trustedIpHeader]
         
         break;






        share|improve this answer

























          1












          1








          1







          We hit the same issue, when trying to apply the suggested "Block Sucuri Bypass"



          location / 
           # Block everything that isn't sucuri
           allow 192.88.134.0/23;
           allow 185.93.228.0/22;
           allow 2a02:fe80::/29;
           allow 66.248.200.0/22;
           deny all;

           # other nginx config



          As this was below the already configured:



          # Define header with original client IP
          real_ip_header X-Forwarded-For;
          # Define trusted IPs
          set_real_ip_from 192.88.134.0/23;
          set_real_ip_from 185.93.228.0/22;
          set_real_ip_from 66.248.200.0/22;
          set_real_ip_from 2a02:fe80::/29;


          Magento 1



          So long as the code uses the core method:



          Mage::helper('core/http')->getRemoteAddr()


          You can add a list of headers to app/etc/local.xml inside of config->global node that are used to determine the "real" ip. Something like:



          <remote_addr_headers>
           <header1>HTTP_X_SUCURI_CLIENTIP</header1>
           <header2>HTTP_X_REAL_IP</header2>
           <header3>HTTP_X_FORWARDED_FOR</header3>
          </remote_addr_headers>


          Then you can remove the real_ip_header and set_real_ip_from from the nginx config. Allowing all traffic not from Sucuri to be blocked and still able to obtain the true IP within magento. You can test this with something like:



          define('MAGENTO_ROOT', getcwd());
          $mageFilename = MAGENTO_ROOT . '/app/Mage.php';
          require MAGENTO_ROOT . '/app/bootstrap.php';
          require_once $mageFilename;

          Mage::app('admin');
          print_r($_SERVER);
          echo 'address: '.Mage::helper('core/http')->getRemoteAddr();


          Magento 2



          This appears to a little harder, I haven't dug as deep but on initial look.

          - vendor/magento/framework/Session/Validator.php

          is sensitive to configuration, on if it should use: http_x_forwarded_for or remote_addr

          - vendor/magento/framework/HTTP/PhpEnvironment/Request.php:725

          has the method getClientIp which appears to use the first it finds from HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, REMOTE_ADDR

          - vendor/magento/magento2-base/pub/errors/processor.php:312

          had the method _getClientIp which uses REMOTE_ADDR and if that isn't found returns undefined



          I may be wrong but I haven't spotted anywhere a single value can be configured, or a list to try. So at this point would suggest adding something like the following to app/etc/bootstrap.php



          $trustedIpHeaders = [
           'HTTP_X_SUCURI_CLIENTIP', 
           'HTTP_X_REAL_IP',
           'HTTP_X_FORWARDED_FOR',
          ];
          $headersToPopulate = [
           'HTTP_CLIENT_IP',
           'HTTP_X_FORWARDED_FOR',
           'REMOTE_ADDR',
          ];
          foreach($trustedIpHeaders as $trustedIpHeader)
           if(isset($_SERVER[$trustedIpHeader]))
           foreach($headersToPopulate as $headerToPopulate)
           $_SERVER[$headerToPopulate] = $_SERVER[$trustedIpHeader]
           
           break;






          share|improve this answer













          We hit the same issue, when trying to apply the suggested "Block Sucuri Bypass"



          location / 
           # Block everything that isn't sucuri
           allow 192.88.134.0/23;
           allow 185.93.228.0/22;
           allow 2a02:fe80::/29;
           allow 66.248.200.0/22;
           deny all;

           # other nginx config



          As this was below the already configured:



          # Define header with original client IP
          real_ip_header X-Forwarded-For;
          # Define trusted IPs
          set_real_ip_from 192.88.134.0/23;
          set_real_ip_from 185.93.228.0/22;
          set_real_ip_from 66.248.200.0/22;
          set_real_ip_from 2a02:fe80::/29;


          Magento 1



          So long as the code uses the core method:



          Mage::helper('core/http')->getRemoteAddr()


          You can add a list of headers to app/etc/local.xml inside of config->global node that are used to determine the "real" ip. Something like:



          <remote_addr_headers>
           <header1>HTTP_X_SUCURI_CLIENTIP</header1>
           <header2>HTTP_X_REAL_IP</header2>
           <header3>HTTP_X_FORWARDED_FOR</header3>
          </remote_addr_headers>


          Then you can remove the real_ip_header and set_real_ip_from from the nginx config. Allowing all traffic not from Sucuri to be blocked and still able to obtain the true IP within magento. You can test this with something like:



          define('MAGENTO_ROOT', getcwd());
          $mageFilename = MAGENTO_ROOT . '/app/Mage.php';
          require MAGENTO_ROOT . '/app/bootstrap.php';
          require_once $mageFilename;

          Mage::app('admin');
          print_r($_SERVER);
          echo 'address: '.Mage::helper('core/http')->getRemoteAddr();


          Magento 2



          This appears to a little harder, I haven't dug as deep but on initial look.

          - vendor/magento/framework/Session/Validator.php

          is sensitive to configuration, on if it should use: http_x_forwarded_for or remote_addr

          - vendor/magento/framework/HTTP/PhpEnvironment/Request.php:725

          has the method getClientIp which appears to use the first it finds from HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, REMOTE_ADDR

          - vendor/magento/magento2-base/pub/errors/processor.php:312

          had the method _getClientIp which uses REMOTE_ADDR and if that isn't found returns undefined



          I may be wrong but I haven't spotted anywhere a single value can be configured, or a list to try. So at this point would suggest adding something like the following to app/etc/bootstrap.php



          $trustedIpHeaders = [
           'HTTP_X_SUCURI_CLIENTIP', 
           'HTTP_X_REAL_IP',
           'HTTP_X_FORWARDED_FOR',
          ];
          $headersToPopulate = [
           'HTTP_CLIENT_IP',
           'HTTP_X_FORWARDED_FOR',
           'REMOTE_ADDR',
          ];
          foreach($trustedIpHeaders as $trustedIpHeader)
           if(isset($_SERVER[$trustedIpHeader]))
           foreach($headersToPopulate as $headerToPopulate)
           $_SERVER[$headerToPopulate] = $_SERVER[$trustedIpHeader]
           
           break;







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Apr 24 at 12:22









          AdamAdam

          213




          213























              0














              For all those who come across the same issue and try to get an answer from sucuri or hopeless hosting providers like siteground, this is what worked for me. I put the following code at the very beginning of Magento index.php:



              if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
               {
               $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];





              share|improve this answer



























                0














                For all those who come across the same issue and try to get an answer from sucuri or hopeless hosting providers like siteground, this is what worked for me. I put the following code at the very beginning of Magento index.php:



                if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
                 {
                 $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];





                share|improve this answer

























                  0












                  0








                  0







                  For all those who come across the same issue and try to get an answer from sucuri or hopeless hosting providers like siteground, this is what worked for me. I put the following code at the very beginning of Magento index.php:



                  if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
                   {
                   $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];





                  share|improve this answer













                  For all those who come across the same issue and try to get an answer from sucuri or hopeless hosting providers like siteground, this is what worked for me. I put the following code at the very beginning of Magento index.php:



                  if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
                   {
                   $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Mar 11 '18 at 21:58









                  ShakamalShakamal

                  388




                  388



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Magento Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f216873%2fhow-to-get-real-ip-from-behind-sucuri-firewall%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Category:9 (number) SubcategoriesMedia in category "9 (number)"Navigation menuUpload mediaGND ID: 4485639-8Library of Congress authority ID: sh85091979ReasonatorScholiaStatistics

                      Image
                      Natural numbersSquare numbersCategories requiring diffusion Help Category:9 (number) From Wikimedia Commons, the free media repository Jump to navigation Jump to search number: 9 (nine) instance of: natural number, deficient number, square number, composite number, odd number, centered cube number, centered octagonal number and nonagonal number other integers: -8 • -4 • -2 • -1 • 0 • 1 • 2 • 3 • 4 • 5 • 6 • 7 • 8 • 9 • 10 • 11 • 12 • 13 • 14 • 15 • 16 • 17 • 18 • 19 • 20 • 21 • 22 • 23 • 24 • 25 • 26 • 27 • 28 • 29 -20 • 0 • 10 • 20 • 30 • 40 • 50 • 60 • 70 • 80 • 90 • 100 • 110 • 120 • 130 • 140 • 150 • 160 • 170 • 180 • 190 • 200 This category has become too crowded. It should list very few images directly. Files should be moved to subcategories where appropriate. New subcategories can be created. Some files need to be moved elsewhere. Search for more categories: fulltext, Main Page, topics, meta categories. Please remove or replace this tag
                      Read more

                      Circuit construction for execution of conditional statements using least significant bitHow are two different registers being used as “control”?How exactly is the stated composite state of the two registers being produced using the $R_zz$ controlled rotations?Efficiently performing controlled rotations in HHLWould this quantum algorithm implementation work?How to prepare a superposed states of odd integers from $1$ to $sqrtN$?Why is this implementation of the order finding algorithm not working?Circuit construction for Hamiltonian simulationHow can I invert the least significant bit of a certain term of a superposed state?Implementing an oracleImplementing a controlled sum operation

                      Image
                      How to attach cable mounting points to a bicycle frame? Is Jon Snow the last of his House? A steel cutting sword? I know that there is a preselected candidate for a position to be filled at my department. What should I do? Is the field of q-series 'dead'? How to cut a climbing rope? Do photons bend spacetime or not? Where have Brexit voters gone? Is it legal to have an abortion in another state or abroad? Did this character show any indication of wanting to rule before S8E6? How to respond to upset student? Compaq Portable vs IBM 5155 Portable PC Is the Indo-European language family made up? Can I summon an otherworldly creature with the Gate spell without knowing its true name? USPS Back Room - Trespassing? Can my floppy disk still work without a shutter spring? Alternatives to achieve certain output format Are black holes spherical during merger? Can the product of any two aperiodic functions which are defined on the entire number line be p
                      Read more

                      Magento 2 “No Payment Methods” in Admin New OrderHow to integrate Paypal Express Checkout with the Magento APIMagento 1.5 - Sales > Order > edit order and shipping methods disappearAuto Invoice Check/Money Order Payment methodAdd more simple payment methods?Shipping methods not showingWhat should I do to change payment methods if changing the configuration has no effects?1.9 - No Payment Methods showing upMy Payment Methods not Showing for downloadable/virtual product when checkout?Magento2 API to access internal payment methodHow to call an existing payment methods in the registration form?

                      Image
                      What is the meaning of [[:space:]] in bash? Is this artwork (used in a video game) real? What happens on Day 6? Link of a singularity Should I be able to keep my company purchased standing desk when I leave my job? Alternator dying so junk car? A scene of Jimmy diversity Is the Gritty Realism variant incompatible with dungeon-based adventures? What could be reasoning of male prison in VR world to only allow undershirt and sarong as nightwear to male prisoners Why does FFmpeg choose 10+20+20 ms instead of an even 16 ms for 60 fps GIF images? Sending a photo of my bank account card to the future employer Advice for paying off student loans and auto loans now that I have my first 'real' job If I stood next to a piece of metal heated to a million degrees, but in a perfect vacuum, would I feel hot? What made Windows ME so crash-prone? Can a dragon's breath weapon pass through Leomund's Tiny Hut? Did 007 exist before James Bond? Is there a sour
                      Read more