Replies: 0
The client IP check function does the following:
function lz_getip(){
if(isset($_SERVER["REMOTE_ADDR"])){
return $_SERVER["REMOTE_ADDR"];
}elseif(isset($_SERVER["HTTP_X_FORWARDED_FOR"])){
return $_SERVER["HTTP_X_FORWARDED_FOR"];
}elseif(isset($_SERVER["HTTP_CLIENT_IP"])){
return $_SERVER["HTTP_CLIENT_IP"];
}
}Shouldn’t it check REMOTE_ADDR last? We have Varnish in front, and are setting the real client IP in HTTP_X_FORWARDED_FOR. Other reverse proxies set HTTP_CLIENT_IP, but we typically never overwrite or remove REMOTE_ADDR. Thus, REMOTE_ADDR should be a fallback. Otherwise when you block an IP in a reverse proxy situation, you are blocking everybody.
Also, “Your IP Address” in the plugin settings display should use lz_getip; currently it’s hard-coded to show REMOTE_ADDR.