Enabling the XFF Header
A common issue our Web Application Firewall (WAF) customers encounter is that their Hosting Server logs show the Same IP address for all users.
The WAF is in the middle of the communication between the visitors and the hosting server so it can filter malicious requests. Because of that, the connection is modified and the source IP at the network level is shown as the Website Firewall IP address and not the visitor's.
If your application needs the real visitor IP address, you have options to make it work. With the help of the X-Forwarded-For (XFF) header, your application or web server can be configured to get the visitor IP address correctly.
- WordPress
- Regular PHP Applications
- Magento
- IP Board
- vBulletin 4.2+
- PrestaShop
- Drupal
- WHMCS
- CodeIgniter
- Apache
- NGINX
- IIS using Advanced Logging
- LiteSpeed
WordPress
Install and activate the official Sucuri Plugin.
Regular PHP Applications
Add the following code to your application configuration file:
if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP'])) { $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP']; }
Magento
- 1.x
Place the following code on your /app/etc/local.xml file inside of the <global></global> scope:
<remote_addr_headers><!-- list headers that contain real client IP if webserver is behind a reverse proxy -->
<header1>HTTP_X_SUCURI_CLIENTIP</header1>
</remote_addr_headers>
We recommend translating the visitor IP using the web server level methods listed below for Apache, NGINX, LiteSpeed, and IIS
If you can’t do this, the following article (use it at your own risk) could help:
https://dev98.de/2017/01/02/how-to-add-alternative-http-headers-to-magento-2/IP Board
Settings: Security and Privacy -> "Enable X_FORWARDED_FOR IP matching" set to ‘yes’.
vBulletin 4.2+
If you are using vBulletin 4.2 or newer they have added in a feature to allow for use behind a proxy like Firewall. Look inside of your /includes/config.php file for the following code:
/* #### Reverse Proxy IP #### If your use a system where the main IP address passed to vBulletin is the address of a proxy server and the actual 'real' ip address is passed in another http header then you enter the details here */ /* Enter your known [trusted] proxy servers here. You can list multiple trusted IPs separated by a comma.*/ //$config['Misc']['proxyiplist'] = '127.0.0.1, 192.168.1.6'; /* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */ //$config['Misc']['proxyipheader'] = 'HTTP_X_FORWARDED_FOR';
And modify it to the following to work with our firewall:
/* #### Reverse Proxy IP #### If your use a system where the main IP address passed to vBulletin is the address of a proxy server and the actual 'real' ip address is passed in another http header then you enter the details here */ /* Enter your known [trusted] proxy servers here. You can list multiple trusted IPs separated by a comma.*/ $config['Misc']['proxyiplist'] = '192.88.134.2, 192.88.134.3, 192.88.134.4, 192.88.134.5, 192.88.134.6, 192.88.134.7, 192.88.134.8, 192.88.134.9, 192.88.134.10, 192.88.134.11, 192.88.134.12, 192.88.134.13, 192.88.134.14, 192.88.134.15, 192.88.134.16, 192.88.134.17, 192.88.134.18, 192.88.134.19, 192.88.134.20, 192.88.134.21, 192.88.135.2, 192.88.135.3, 192.88.135.4, 192.88.135.5, 192.88.135.6, 192.88.135.7, 192.88.135.8, 192.88.135.9, 192.88.135.10, 192.88.135.11, 192.88.135.12, 192.88.135.13, 192.88.135.14, 192.88.135.15, 192.88.135.16, 192.88.135.17, 192.88.135.18, 192.88.135.19, 192.88.135.20, 192.88.135.21, 185.93.228.2, 185.93.228.3, 185.93.228.4, 185.93.228.5, 185.93.228.6, 185.93.228.7, 185.93.228.8, 185.93.228.9, 185.93.228.10, 185.93.228.11, 185.93.228.12, 185.93.228.13, 185.93.228.14, 185.93.228.15, 185.93.228.16,, 185.93.228.17, 185.93.228.18, 185.93.228.19, 185.93.228.20, 185.93.228.21, 185.93.229.2, 185.93.229.3, 185.93.229.4, 185.93.229.5, 185.93.229.6, 185.93.229.7, 185.93.229.8, 185.93.229.9, 185.93.229.10, 185.93.229.11, 185.93.229.12, 185.93.229.13, 185.93.229.14, 185.93.229.15, 185.93.229.16, 185.93.229.17, 185.93.229.18, 185.93.229.19, 185.93.229.20, 185.93.229.21, 185.93.230.2, 185.93.230.3, 185.93.230.4, 185.93.230.5, 185.93.230.6, 185.93.230.7, 185.93.230.8, 185.93.230.9, 185.93.230.10, 185.93.230.11, 185.93.230.12, 185.93.230.13, 185.93.230.14, 185.93.230.15, 185.93.230.16, 185.93.230.17, 185.93.230.18, 185.93.230.19, 185.93.230.20, 185.93.230.21, 185.93.231.2, 185.93.231.3, 185.93.231.4, 185.93.231.5, 185.93.231.6, 185.93.231.7, 185.93.231.8, 185.93.231.9, 185.93.231.10, 185.93.231.11, 185.93.231.12, 185.93.231.13, 185.93.231.14, 185.93.231.15, 185.93.231.16, 185.93.231.17, 185.93.231.18, 185.93.231.19, 185.93.231.20, 185.93.231.21, 66.248.201.2, 66.248.201.3, 66.248.201.4, 66.248.201.5, 66.248.201.6, 66.248.201.7, 66.248.201.8, 66.248.201.9, 66.248.201.10, 66.248.201.11, 66.248.201.12, 66.248.201.13, 66.248.201.14, 66.248.201.15, 66.248.201.16, 66.248.201.17, 66.248.201.18, 66.248.201.19, 66.248.201.20, 66.248.201.21, 66.248.202.2, 66.248.202.3, 66.248.202.4, 66.248.202.5, 66.248.202.6, 66.248.202.7, 66.248.202.8, 66.248.202.9, 66.248.202.10, 66.248.202.11, 66.248.202.12, 66.248.202.13, 66.248.202.14, 66.248.202.15, 66.248.202.16, 66.248.202.17, 66.248.202.18, 66.248.202.19, 66.248.202.20, 66.248.202.21, 66.248.203.2, 66.248.203.3, 66.248.203.4, 66.248.203.5, 66.248.203.6, 66.248.203.7, 66.248.203.8, 66.248.203.9, 66.248.203.10, 66.248.203.11, 66.248.203.12, 66.248.203.13, 66.248.203.14, 66.248.203.15, 66.248.203.16, 66.248.203.17, 66.248.203.18, 66.248.203.19, 66.248.203.20, 66.248.203.21, 66.248.200.2, 66.248.200.3, 66.248.200.4, 66.248.200.5, 66.248.200.6, 66.248.200.7, 66.248.200.8, 66.248.200.9, 66.248.200.10, 66.248.200.11, 66.248.200.12, 66.248.200.13, 66.248.200.14, 66.248.200.15, 66.248.200.16, 66.248.200.17, 66.248.200.18, 66.248.200.19, 66.248.200.20, 66.248.200.21'; /* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */ $config['Misc']['proxyipheader'] = 'HTTP_X_SUCURI_CLIENTIP';
If you are not able to find that code inside of your /includes/config.php file, you can just add it to the bottom of the file. Make sure you remove the // at the beginning of the 2 lines containing the IP addresses and the header line.
PrestaShop
Create the file /override/classes/Tools.php with the content:
<?php
class Tools extends ToolsCore
{
/**
* Get the server variable REMOTE_ADDR, or the first ip of HTTP_X_FORWARDED_FOR (when using proxy)
*
* @return string $remote_addr ip of client
*/
public static function getRemoteAddr()
{
// This condition is necessary when using CDN, don't remove it.
if (isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']) AND $_SERVER['HTTP_X_SUCURI_CLIENTIP'])
{
if (strpos($_SERVER['HTTP_X_SUCURI_CLIENTIP'], ','))
{
$ips = explode(',', $_SERVER['HTTP_X_SUCURI_CLIENTIP']);
return $ips[0];
}
else
return $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}
return $_SERVER['REMOTE_ADDR'];
}
}
and remove the file /cache/class_index.php.
Drupal
Add the PHP code into the settings.php file:
if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP'])) { $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP']; }
WHMCS
-
Add the PHP code into the configuration.php file:
if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP'])) { $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP']; }
-
On WHMCS admin, go to Settings -> Security -> Trusted Proxies and add each of the following IP ranges:
192.88.134.0/23 185.93.228.0/22 66.248.200.0/22 208.109.0.0/22 2a02:fe80::/29 _(in case of IPv6 support)_
- On the "Proxy IP Header" field, insert HTTP_X_SUCURI_CLIENTIP and Save Changes.
CodeIgniter
Add the PHP code into the index.php file:
if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP'])) { $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP']; }
Apache
- 2.2
- 2.4+
Apache 2.4 and above usually comes with mod_remoteip installed, you just need to enable it. If mod_remoteip has not been included in your Apache install you can download it here: mod_remoteip.
If you are using cPanel/WHM, mod_remoteip can be installed with "yum -y install ea-apache24-mod_remoteip".
Once mod_remoteip is installed, you need to add the following lines into its configuration file. Usually the configuration file would be /etc/apache/conf-available/remoteip.conf, but if you’re using cPanel/WHM, it would be /etc/apache2/conf.modules.d/370_mod_remoteip.conf.
RemoteIPHeader X-FORWARDED-FOR RemoteIPTrustedProxy 192.88.134.0/23 RemoteIPTrustedProxy 185.93.228.0/22 RemoteIPTrustedProxy 66.248.200.0/22 RemoteIPTrustedProxy 208.109.0.0/22 RemoteIPTrustedProxy 2a02:fe80::/29 # this line can be removed if IPv6 is disabled
If it does work, try changing RemoteIPHeader X-FORWARDED-FOR to RemoteIPHeader X_FORWARDED_FOR.
You can also add the following line in your /usr/local/apache/conf/includes/post_virtualhost_global.conf file and restart Apache, if you want to see the visitor IP address in the Apache logs:
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
NGINX
After enabling ngx_http_realip_module, add the following to your nginx configuration:
# Define header with original client IP real_ip_header X-Forwarded-For; # Define trusted Firewall IPs set_real_ip_from 192.88.134.0/23; set_real_ip_from 185.93.228.0/22; set_real_ip_from 66.248.200.0/22; set_real_ip_from 208.109.0.0/22; set_real_ip_from 2a02:fe80::/29; # this line can be removed if IPv6 is disabled
IIS using Advanced Logging
Details here.
LiteSpeed
In the LiteSpeed Web Admin Panel, go to Configuration -> Server -> General Settings and set Use Client IP in Header to ‘Yes’.
To avoid conflicts with LiteSpeed rate limiting, please also add Sucuri Firewall IP ranges on the Allowed List. Go to Configuration -> Server -> Security -> Allowed List and add the following IP addresses:
192.88.134.0/23T, 185.93.228.0/22T, 66.248.200.0/22T, 208.109.0.0/22T, 2a02:fe80::/29T
Note: If you run into issues with the IPv6 addresses (2a02:fe80::/29), and you do not have any IPv6 addresses assigned to your hosting, you should remove those lines from any directive.