The WAF will be in the middle of the communication between the visitors and the hosting server to be able to filter the malicious requests. Because of that, the connection is modified and the source IP at the network level will be shown as the Website Firewall IP address and not the visitor’s.
In case your application needs the real visitor IP address, there are some options to make it work. With the help of the XFF header, your application or web server can be configured to get the visitor IP address correctly.
- WordPress
- PHP
- Magento
- IP Board
- vBulletin
- PrestaShop
- Drupal
- WHMCS
- CodeIgniter
- Apache
- NGINX
- IIS
- LiteSpeed
Simply install and activate the official Sucuri Plugin.
Add the following code to your application configuration file:
if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
$_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}
- 1.x
Place the following code on your /app/etc/local.xml
file inside of the <global></global>
scope:
<remote_addr_headers><!-- list headers that contain real client IP if webserver is behind a reverse proxy -->
<header1>HTTP_X_SUCURI_CLIENTIP</header1>
</remote_addr_headers>
- 2.x
We recommend translate the visitor IP using the web server level method: Apache, NGINX, LiteSpeed, IIS.
If you can’t do this, the following article (use it at your own risk) could help:
https://dev98.de/2017/01/02/how-to-add-alternative-http-headers-to-magento-2/
Settings: Security and Privacy -> "Enable X_FORWARDED_FOR IP matching" set to ‘yes’.
If you are using vBulletin 4.2 or newer they have added in a feature to allow for use behind a proxy like Firewall. Look inside of your /includes/config.php
file for the following code:
/* #### Reverse Proxy IP ####
If your use a system where the main IP address passed to vBulletin is the address of a proxy server
and the actual 'real' ip address is passed in another http header then you enter the details here */
/* Enter your known [trusted] proxy servers here. You can list multiple trusted IPs separated by a comma.*/
//$config['Misc']['proxyiplist'] = '127.0.0.1, 192.168.1.6';
/* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */
//$config['Misc']['proxyipheader'] = 'HTTP_X_FORWARDED_FOR';
And modify it to the following to work with our firewall:
/* #### Reverse Proxy IP ####
If your use a system where the main IP address passed to vBulletin is the address of a proxy server
and the actual 'real' ip address is passed in another http header then you enter the details here */
/* Enter your known [trusted] proxy servers here. You can list multiple trusted IPs separated by a comma.*/
$config['Misc']['proxyiplist'] = '192.88.134.2, 192.88.134.3, 192.88.134.4, 192.88.134.5, 192.88.134.6, 192.88.134.7, 192.88.134.8, 192.88.134.9, 192.88.134.10, 192.88.134.11, 192.88.134.12, 192.88.134.13, 192.88.134.14, 192.88.134.15, 192.88.134.16, 192.88.134.17, 192.88.134.18, 192.88.134.19, 192.88.134.20, 192.88.134.21, 192.88.135.2, 192.88.135.3, 192.88.135.4, 192.88.135.5, 192.88.135.6, 192.88.135.7, 192.88.135.8, 192.88.135.9, 192.88.135.10, 192.88.135.11, 192.88.135.12, 192.88.135.13, 192.88.135.14, 192.88.135.15, 192.88.135.16, 192.88.135.17, 192.88.135.18, 192.88.135.19, 192.88.135.20, 192.88.135.21, 185.93.228.2, 185.93.228.3, 185.93.228.4, 185.93.228.5, 185.93.228.6, 185.93.228.7, 185.93.228.8, 185.93.228.9, 185.93.228.10, 185.93.228.11, 185.93.228.12, 185.93.228.13, 185.93.228.14, 185.93.228.15, 185.93.228.16,, 185.93.228.17, 185.93.228.18, 185.93.228.19, 185.93.228.20, 185.93.228.21, 185.93.229.2, 185.93.229.3, 185.93.229.4, 185.93.229.5, 185.93.229.6, 185.93.229.7, 185.93.229.8, 185.93.229.9, 185.93.229.10, 185.93.229.11, 185.93.229.12, 185.93.229.13, 185.93.229.14, 185.93.229.15, 185.93.229.16, 185.93.229.17, 185.93.229.18, 185.93.229.19, 185.93.229.20, 185.93.229.21, 185.93.230.2, 185.93.230.3, 185.93.230.4, 185.93.230.5, 185.93.230.6, 185.93.230.7, 185.93.230.8, 185.93.230.9, 185.93.230.10, 185.93.230.11, 185.93.230.12, 185.93.230.13, 185.93.230.14, 185.93.230.15, 185.93.230.16, 185.93.230.17, 185.93.230.18, 185.93.230.19, 185.93.230.20, 185.93.230.21, 185.93.231.2, 185.93.231.3, 185.93.231.4, 185.93.231.5, 185.93.231.6, 185.93.231.7, 185.93.231.8, 185.93.231.9, 185.93.231.10, 185.93.231.11, 185.93.231.12, 185.93.231.13, 185.93.231.14, 185.93.231.15, 185.93.231.16, 185.93.231.17, 185.93.231.18, 185.93.231.19, 185.93.231.20, 185.93.231.21, 66.248.201.2, 66.248.201.3, 66.248.201.4, 66.248.201.5, 66.248.201.6, 66.248.201.7, 66.248.201.8, 66.248.201.9, 66.248.201.10, 66.248.201.11, 66.248.201.12, 66.248.201.13, 66.248.201.14, 66.248.201.15, 66.248.201.16, 66.248.201.17, 66.248.201.18, 66.248.201.19, 66.248.201.20, 66.248.201.21, 66.248.202.2, 66.248.202.3, 66.248.202.4, 66.248.202.5, 66.248.202.6, 66.248.202.7, 66.248.202.8, 66.248.202.9, 66.248.202.10, 66.248.202.11, 66.248.202.12, 66.248.202.13, 66.248.202.14, 66.248.202.15, 66.248.202.16, 66.248.202.17, 66.248.202.18, 66.248.202.19, 66.248.202.20, 66.248.202.21, 66.248.203.2, 66.248.203.3, 66.248.203.4, 66.248.203.5, 66.248.203.6, 66.248.203.7, 66.248.203.8, 66.248.203.9, 66.248.203.10, 66.248.203.11, 66.248.203.12, 66.248.203.13, 66.248.203.14, 66.248.203.15, 66.248.203.16, 66.248.203.17, 66.248.203.18, 66.248.203.19, 66.248.203.20, 66.248.203.21, 66.248.200.2, 66.248.200.3, 66.248.200.4, 66.248.200.5, 66.248.200.6, 66.248.200.7, 66.248.200.8, 66.248.200.9, 66.248.200.10, 66.248.200.11, 66.248.200.12, 66.248.200.13, 66.248.200.14, 66.248.200.15, 66.248.200.16, 66.248.200.17, 66.248.200.18, 66.248.200.19, 66.248.200.20, 66.248.200.21';
/* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */
$config['Misc']['proxyipheader'] = 'HTTP_X_SUCURI_CLIENTIP';
If you are not able to find that code inside of your /includes/config.php
file, you can just add it to the bottom of the file. Make sure you remove the // at the beginning of the 2 lines containing the IP addresses and the header line.
Create the file /override/classes/Tools.php
with the content:
<?php
class Tools extends ToolsCore
{
/**
* Get the server variable REMOTE_ADDR, or the first ip of HTTP_X_FORWARDED_FOR (when using proxy)
*
* @return string $remote_addr ip of client
*/
public static function getRemoteAddr()
{
// This condition is necessary when using CDN, don't remove it.
if (isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']) AND $_SERVER['HTTP_X_SUCURI_CLIENTIP'])
{
if (strpos($_SERVER['HTTP_X_SUCURI_CLIENTIP'], ','))
{
$ips = explode(',', $_SERVER['HTTP_X_SUCURI_CLIENTIP']);
return $ips[0];
}
else
return $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}
return $_SERVER['REMOTE_ADDR'];
}
}
and remove the file /cache/class_index.php
.
Add the PHP code into the settings.php
file:
if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
$_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}
1) Add the PHP code into the configuration.php
file:
if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
$_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}
2) On WHMCS admin, go to Settings -> Security -> Trusted Proxies and add each of the following IP ranges:
192.88.134.0/23
185.93.228.0/22
66.248.200.0/22
208.109.0.0/22
2a02:fe80::/29 _(in case of IPv6 support)_
3) On the "Proxy IP Header" field, insert HTTP_X_SUCURI_CLIENTIP
and Save Changes.
Add the PHP code into the index.php
file:
if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
$_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}
- 2.2
mod_rpaf
mod_rpaf (For Debian Wheezy)
- 2.4+
Apache 2.4 and above usually comes with mod_remoteip installed, you just need to enable it. If mod_remoteip has not been included in your Apache install you can download it here: mod_remoteip.
If you are using cPanel/WHM, mod_remoteip can be installed with "yum -y install ea-apache24-mod_remoteip
".
Once mod_remoteip is installed, you need to add the following lines into its configuration file. Usually the configuration file would be /etc/apache/conf-available/remoteip.conf
, but if you’re using cPanel/WHM, it would be /etc/apache2/conf.modules.d/370_mod_remoteip.conf
.
RemoteIPHeader X-FORWARDED-FOR
RemoteIPTrustedProxy 192.88.134.0/23
RemoteIPTrustedProxy 185.93.228.0/22
RemoteIPTrustedProxy 66.248.200.0/22
RemoteIPTrustedProxy 208.109.0.0/22
RemoteIPTrustedProxy 2a02:fe80::/29 # this line can be removed if IPv6 is disabled
If it does work, try changing RemoteIPHeader X-FORWARDED-FOR
to RemoteIPHeader X_FORWARDED_FOR
.
You can also add the following line in your /usr/local/apache/conf/includes/post_virtualhost_global.conf
file and restart Apache, if you want to see the visitor IP address in the Apache logs:
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
After enabling ngx_http_realip_module, add the following to your nginx configuration:
# Define header with original client IP
real_ip_header X-Forwarded-For;
# Define trusted Firewall IPs
set_real_ip_from 192.88.134.0/23;
set_real_ip_from 185.93.228.0/22;
set_real_ip_from 66.248.200.0/22;
set_real_ip_from 208.109.0.0/22;
set_real_ip_from 2a02:fe80::/29; # this line can be removed if IPv6 is disabled
Details here.
In the LiteSpeed Web Admin Panel, go to Configuration -> Server -> General Settings and set Use Client IP in Header to ‘Yes’.
To avoid conflicts with LiteSpeed rate limiting, please also add Sucuri Firewall IP ranges on the Allowed List. Go to Configuration -> Server -> Security -> Allowed List and add the following IP addresses:
192.88.134.0/23T, 185.93.228.0/22T, 66.248.200.0/22T, 208.109.0.0/22T, 2a02:fe80::/29T
Note: If you run into issues with the IPv6 addresses (2a02:fe80::/29), and you do not have any IPv6 addresses assigned to your hosting, you should remove those lines from any directive.