Maybe I am missing the point. But my goal is to capture any IP from any request made to my rest api so I can keep track of them in a database.

I am using Slim 3 and when I use composer to load the middleware I use it like this and it always returns null from my localhost.

require '../vendor/autoload.php';

$app->get('/api/v1/customer', function (Request $request, Response $response) {
    $requestIP = $request->getAttribute('ip_address');
     var_dump($requestIP);
     echo $requestIP;

    return $response;
});

From my understanding this is options if you only want to accept request from certain IP,

$checkProxyHeaders = true; // Note: Never trust the IP address for security processes!
$trustedProxies = ['10.0.0.1', '10.0.0.2']; // Note: Never trust the IP address for security processes!
$app->add(new RKA\Middleware\IpAddress($checkProxyHeaders, $trustedProxies));

When I add that into my app the output is this,

string(3) "::1" ::1

If I am trying to capture the IP from the request is that $trustedProxies optional? If it is not optional how can I accept request from all IP?

To achieve my goal what am I missing here? Or am I getting the expected result and I just do not realize it?

I'm trying to setup a set middleware to mangle requests and response on my app and I've noticed that I don't have the ip_address set on middleware following rka-ip-address-middleware.

More specifically I'm setting up a throttling middleware to limit requests per IP address per hour like bellow

class ThrottlingMiddleware {

    const CACHE_PREFIX = 'throttling_';
    const THROTTLING_LIMIT = 1000000;
    private $enabled = false;
    protected $memcache;

    public function __construct() {
        $this->memcache = new Memcache();
        $this->enabled = true;
    }

    private function _isRateExceeded($host) {
        if (!$this->memcache->get(self::CACHE_PREFIX . $host))
            return false;

        return $this->memcache->get(self::CACHE_PREFIX . $host) > self::THROTTLING_LIMIT;
    }

    private function _register($host) {
        if (!$this->memcache->get(self::CACHE_PREFIX . $host)) {
            $this->memcache->set(self::CACHE_PREFIX . $host, 0, time() + (60 * 60));
        }

        $this->memcache->increment(self::CACHE_PREFIX . $host, 1);
    }

    function __invoke(Request $request, Response $response, callable $next) {
        if (!$this->enabled)
            return $next($request, $response);

        $ip_address = $request->getAttribute('ip_address'); // **IP WAS SUPPOSED TO BE SET HERE**

        if (is_null($ip_address))
            return $next($request, $response);

        if ($this->_isRateExceeded($ip_address)) {
            return $response->withStatus(429, "Too Many Requests");
        }

        $response = $next($request, $response);

        $this->_register($ip_address);
        return $response;
    }
}

Then middleware is added to the app like

$checkProxyHeaders = true;
$trustedProxies = ['10.0.0.1', '10.0.0.2'];
$app->add(new RKA\Middleware\IpAddress($checkProxyHeaders, $trustedProxies));
$app->add(new ThrottlingMiddleware());

Given the above I think IpAddress is supposed to run first and thus set the ip address on the request which is received by the next middleware in the queue.

Please clarify if the assumption above is correct or not, or provide advise on how I can handle this case.

Hi Guys,

AWS doesn't specify the private IP address for my application load balancer. I think from what I've read online the number of addresses can change as the load balancer scales. So essentially I need to be able to check the proxy headers without the trusted proxies list and/or use a netmask? I can do the work to add this feature if you think this change is acceptable?

This middleware seems to fail in an environment behind an Azure application gateway.

I can confirm that the client ip is available in the request headers under X_FORWARDED_FOR, however, this middleware always returns the REMOTE_ADDR, which is some internal IP in Azure.

I've set $checkProxyHeaders to true -- i've left the $trustedProxies array both empty, and filled with every possible combination of ips/domains that I could find in the request headers -- can't seem to get it to return the client's IP address.

Any idea what could be going on here?

https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-
+
https://stackoverflow.com/questions/17540715/using-curl-i-added-the-header-http-x-real-ip-on-the-server-side-it-becomes-h

And I dont know, but current order in $headersToInspect maybe wrong.

Headers 'X-Forwarded-*' seem to have been standardized in rfc 7239 (June 2014).
Useful infos on wikipedia : https://en.wikipedia.org/wiki/X-Forwarded-For

The standardized header name is 'Forwarded'.

Syntax example :
Forwarded: for=192.0.2.60; proto=http; by=203.0.113.43

Hi ! Is there a roadmap to reach 1.0 release ?

We used to use version 0.4 from the old repo, and upgraded to 0.6 and eventually 1.0 of this repo.

In the 0.6 release, there was a change that now forces the user to provide an IP list of "trustedProxies", otherwise the determined IP address would always be the "REMOTE_ADDR". Before, one could determine the supposed remote address without a list.

This effectively makes it useless to allow "checkProxyHeaders = true" with "trustedProxies = []". It will silently be switched back to "checkProxyHeaders = false" without any notice or warning.

This would force us to have a list of all trusted proxies of our DEV, TEST and PRODUCTION environment, and also reveal all these numbers in every other environment, or juggle with different configurations. Nobody should be able to sneak in from anywhere, which is guaranteed by our infrastructure setup. Effectively, we do not need to configure trusted proxies, we are fine with determining the IP from the headers as-is.

Would you consider reverting that change?

public function __invoke(ServerRequestInterface $request, ResponseInterface $response, $next)`
    {
        if (!$next) {
            return $response;
        }

        $ipAddress = $this->determineClientIpAddress($request);
        $request = $request->withAttribute($this->attributeName, $ipAddress);

        return $response = $next($request, $response);
  }

I got the error exception.

[FATAL] RKA\Middleware\IpAddress::__invoke(): Argument # 2 ($response) must be of type Psr\Http\Message\ResponseInterface, Psr\Http\Server\RequestHandlerInterface@anonymous given, called in /vendor/slim/slim/Slim/MiddlewareDispatcher.php on line 168

Hi,

the usage example you are giving does not seem to work with current Slim 3 versions.

The line:

$app->add(new RKA\Middleware\IpAddress($checkProxyHeaders, $trustedProxies));

produces the following error:
Argument 1 passed to Slim\Slim::add() must be an instance of Slim\Middleware, instance of RKA\Middleware\IpAddress given

What can I do to use your middleware anyway?

Thank you very much
Kind regards,
Tom

Hey!

Would you consider adding PHP 8 support? If so, I'm open for the contribution.

The current code uses the request object to get the headers.
On AWS Elastic Beanstalk for example the request headers are:
Host: subdomain.domain.com
HTTP_ACCEPT: application/json
HTTP_ACCEPT_ENCODING: gzip, deflate
HTTP_CACHE_CONTROL: no-cache
CONTENT_TYPE: application/json
HTTP_POSTMAN_TOKEN: f37b1651-c782-4f29-9f00-e9e1f074a257
HTTP_USER_AGENT: PostmanRuntime/3.0.11-hotfix.2
HTTP_X_FORWARDED_FOR: 72.206.90.181
HTTP_X_FORWARDED_PORT: 80
HTTP_X_FORWARDED_PROTO: http
HTTP_CONNECTION: keep-alive

The change I employed was to use the PHP function getallheaders() which provides these headers:
host: subdomain.domain .com
Accept: application/json
accept-encoding: gzip, deflate
cache-control: no-cache
Content-Type: application/json
Postman-Token: 0facf6eb-9d64-4d2f-a9d7-3eaf287bf729
User-Agent: PostmanRuntime/3.0.11-hotfix.2
X-Forwarded-For: 72.206.90.181
X-Forwarded-Port: 80
X-Forwarded-Proto: http
Connection: keep-alive

Tests and build config is shipped with the package.

Ideally, a .gitattributes file would prevent such files from ending up in the .zip release.