Website Security and Backups Help

Enabling the XFF Header

A common issue our Web Application Firewall (WAF) customers encounter is that their Hosting Server logs show the Same IP address for all users.

The WAF is in the middle of the communication between the visitors and the hosting server so it can filter malicious requests. Because of that, the connection is modified and the source IP at the network level is shown as the Website Firewall IP address and not the visitor's.

If your application needs the real visitor IP address, you have options to make it work. With the help of the X-Forwarded-For (XFF) header, your application or web server can be configured to get the visitor IP address correctly.

WordPress

Install and activate the official Sucuri Plugin.

Back to top


Regular PHP Applications

Add the following code to your application configuration file:


if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
    $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}

Back to top


Magento

  • 1.x
  • Place the following code on your /app/etc/local.xml file inside of the <global></global> scope:

    <remote_addr_headers><!-- list headers that contain real client IP if webserver is behind a reverse proxy -->
        <header1>HTTP_X_SUCURI_CLIENTIP</header1>
    </remote_addr_headers>
    
  • 2.x
  • We recommend translating the visitor IP using the web server level methods listed below for Apache, NGINX, LiteSpeed, and IIS

    If you can’t do this, the following article (use it at your own risk) could help:

    https://dev98.de/2017/01/02/how-to-add-alternative-http-headers-to-magento-2/

Back to top


IP Board

Settings: Security and Privacy -> "Enable X_FORWARDED_FOR IP matching" set to ‘yes’.

Back to top


vBulletin 4.2+

If you are using vBulletin 4.2 or newer they have added in a feature to allow for use behind a proxy like Firewall. Look inside of your /includes/config.php file for the following code:


/* #### Reverse Proxy IP #### 
If your use a system where the main IP address passed to vBulletin is the address of a proxy server 
and the actual 'real' ip address is passed in another http header then you enter the details here */

/* Enter your known [trusted] proxy servers here. You can list multiple trusted IPs separated by a comma.*/
//$config['Misc']['proxyiplist'] = '127.0.0.1, 192.168.1.6';

/* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */
//$config['Misc']['proxyipheader'] = 'HTTP_X_FORWARDED_FOR';

And modify it to the following to work with our firewall:


/* #### Reverse Proxy IP #### 
If your use a system where the main IP address passed to vBulletin is the address of a proxy server 
and the actual 'real' ip address is passed in another http header then you enter the details here */

/* Enter your known [trusted] proxy servers here. You can list multiple trusted IPs separated by a comma.*/
$config['Misc']['proxyiplist'] = '192.88.134.2, 192.88.134.3, 192.88.134.4, 192.88.134.5, 192.88.134.6, 192.88.134.7, 192.88.134.8, 192.88.134.9, 192.88.134.10, 192.88.134.11, 192.88.134.12, 192.88.134.13, 192.88.134.14, 192.88.134.15, 192.88.134.16, 192.88.134.17, 192.88.134.18, 192.88.134.19, 192.88.134.20, 192.88.134.21, 192.88.135.2, 192.88.135.3, 192.88.135.4, 192.88.135.5, 192.88.135.6, 192.88.135.7, 192.88.135.8, 192.88.135.9, 192.88.135.10, 192.88.135.11, 192.88.135.12, 192.88.135.13, 192.88.135.14, 192.88.135.15, 192.88.135.16, 192.88.135.17, 192.88.135.18, 192.88.135.19, 192.88.135.20, 192.88.135.21, 185.93.228.2, 185.93.228.3, 185.93.228.4, 185.93.228.5, 185.93.228.6, 185.93.228.7, 185.93.228.8, 185.93.228.9, 185.93.228.10, 185.93.228.11, 185.93.228.12, 185.93.228.13, 185.93.228.14, 185.93.228.15, 185.93.228.16,, 185.93.228.17, 185.93.228.18, 185.93.228.19, 185.93.228.20, 185.93.228.21, 185.93.229.2, 185.93.229.3, 185.93.229.4, 185.93.229.5, 185.93.229.6, 185.93.229.7, 185.93.229.8, 185.93.229.9, 185.93.229.10, 185.93.229.11, 185.93.229.12, 185.93.229.13, 185.93.229.14, 185.93.229.15, 185.93.229.16, 185.93.229.17, 185.93.229.18, 185.93.229.19, 185.93.229.20, 185.93.229.21, 185.93.230.2, 185.93.230.3, 185.93.230.4, 185.93.230.5, 185.93.230.6, 185.93.230.7, 185.93.230.8, 185.93.230.9, 185.93.230.10, 185.93.230.11, 185.93.230.12, 185.93.230.13, 185.93.230.14, 185.93.230.15, 185.93.230.16, 185.93.230.17, 185.93.230.18, 185.93.230.19, 185.93.230.20, 185.93.230.21, 185.93.231.2, 185.93.231.3, 185.93.231.4, 185.93.231.5, 185.93.231.6, 185.93.231.7, 185.93.231.8, 185.93.231.9, 185.93.231.10, 185.93.231.11, 185.93.231.12, 185.93.231.13, 185.93.231.14, 185.93.231.15, 185.93.231.16, 185.93.231.17, 185.93.231.18, 185.93.231.19, 185.93.231.20, 185.93.231.21, 66.248.201.2, 66.248.201.3, 66.248.201.4, 66.248.201.5, 66.248.201.6, 66.248.201.7, 66.248.201.8, 66.248.201.9, 66.248.201.10, 66.248.201.11, 66.248.201.12, 66.248.201.13, 66.248.201.14, 66.248.201.15, 66.248.201.16, 66.248.201.17, 66.248.201.18, 66.248.201.19, 66.248.201.20, 66.248.201.21, 66.248.202.2, 66.248.202.3, 66.248.202.4, 66.248.202.5, 66.248.202.6, 66.248.202.7, 66.248.202.8, 66.248.202.9, 66.248.202.10, 66.248.202.11, 66.248.202.12, 66.248.202.13, 66.248.202.14, 66.248.202.15, 66.248.202.16, 66.248.202.17, 66.248.202.18, 66.248.202.19, 66.248.202.20, 66.248.202.21, 66.248.203.2, 66.248.203.3, 66.248.203.4, 66.248.203.5, 66.248.203.6, 66.248.203.7, 66.248.203.8, 66.248.203.9, 66.248.203.10, 66.248.203.11, 66.248.203.12, 66.248.203.13, 66.248.203.14, 66.248.203.15, 66.248.203.16, 66.248.203.17, 66.248.203.18, 66.248.203.19, 66.248.203.20, 66.248.203.21, 66.248.200.2, 66.248.200.3, 66.248.200.4, 66.248.200.5, 66.248.200.6, 66.248.200.7, 66.248.200.8, 66.248.200.9, 66.248.200.10, 66.248.200.11, 66.248.200.12, 66.248.200.13, 66.248.200.14, 66.248.200.15, 66.248.200.16, 66.248.200.17, 66.248.200.18, 66.248.200.19, 66.248.200.20, 66.248.200.21';

/* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */
$config['Misc']['proxyipheader'] = 'HTTP_X_SUCURI_CLIENTIP';

If you are not able to find that code inside of your /includes/config.php file, you can just add it to the bottom of the file. Make sure you remove the // at the beginning of the 2 lines containing the IP addresses and the header line.

Back to top


PrestaShop

Create the file /override/classes/Tools.php with the content:

<?php

class Tools extends ToolsCore
{
    /**
    * Get the server variable REMOTE_ADDR, or the first ip of HTTP_X_FORWARDED_FOR (when using proxy)
    *
    * @return string $remote_addr ip of client
    */
    public static function getRemoteAddr()
    {
        // This condition is necessary when using CDN, don't remove it.
        if (isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']) AND $_SERVER['HTTP_X_SUCURI_CLIENTIP'])
        {
            if (strpos($_SERVER['HTTP_X_SUCURI_CLIENTIP'], ','))
            {
                $ips = explode(',', $_SERVER['HTTP_X_SUCURI_CLIENTIP']);
                return $ips[0];
            }
            else
                return $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
        }
        return $_SERVER['REMOTE_ADDR'];
    }
}

and remove the file /cache/class_index.php.

Back to top


Drupal

Add the PHP code into the settings.php file:


if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
    $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}

Back to top


WHMCS

  1. Add the PHP code into the configuration.php file:
    
    if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
    {
        $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
    }
    		
  2. On WHMCS admin, go to Settings -> Security -> Trusted Proxies and add each of the following IP ranges:
    
    192.88.134.0/23
    185.93.228.0/22
    66.248.200.0/22
    208.109.0.0/22
    2a02:fe80::/29 _(in case of IPv6 support)_
    		
  3. On the "Proxy IP Header" field, insert HTTP_X_SUCURI_CLIENTIP and Save Changes.

Back to top


CodeIgniter

Add the PHP code into the index.php file:


if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
    $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}

Back to top


Apache

  • 2.2
  • mod_rpaf

  • 2.4+
  • Apache 2.4 and above usually comes with mod_remoteip installed, you just need to enable it. If mod_remoteip has not been included in your Apache install you can download it here: mod_remoteip.

    If you are using cPanel/WHM, mod_remoteip can be installed with "yum -y install ea-apache24-mod_remoteip".

    Once mod_remoteip is installed, you need to add the following lines into its configuration file. Usually the configuration file would be /etc/apache/conf-available/remoteip.conf, but if you’re using cPanel/WHM, it would be /etc/apache2/conf.modules.d/370_mod_remoteip.conf.

    
    RemoteIPHeader X-FORWARDED-FOR
    RemoteIPTrustedProxy 192.88.134.0/23
    RemoteIPTrustedProxy 185.93.228.0/22
    RemoteIPTrustedProxy 66.248.200.0/22
    RemoteIPTrustedProxy 208.109.0.0/22
    RemoteIPTrustedProxy 2a02:fe80::/29 # this line can be removed if IPv6 is disabled
    	

    If it does work, try changing RemoteIPHeader X-FORWARDED-FOR to RemoteIPHeader X_FORWARDED_FOR.

    You can also add the following line in your /usr/local/apache/conf/includes/post_virtualhost_global.conf file and restart Apache, if you want to see the visitor IP address in the Apache logs:

    
    LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    	

Back to top


NGINX

ngx_http_realip_module

After enabling ngx_http_realip_module, add the following to your nginx configuration:


# Define header with original client IP
real_ip_header X-Forwarded-For;
# Define trusted Firewall IPs
set_real_ip_from 192.88.134.0/23;
set_real_ip_from 185.93.228.0/22;
set_real_ip_from 66.248.200.0/22;
set_real_ip_from 208.109.0.0/22;
set_real_ip_from 2a02:fe80::/29; # this line can be removed if IPv6 is disabled

Back to top


IIS using Advanced Logging

Details here.

Back to top


LiteSpeed

In the LiteSpeed Web Admin Panel, go to Configuration -> Server -> General Settings and set Use Client IP in Header to ‘Yes’.

To avoid conflicts with LiteSpeed rate limiting, please also add Sucuri Firewall IP ranges on the Allowed List. Go to Configuration -> Server -> Security -> Allowed List and add the following IP addresses:


192.88.134.0/23T, 185.93.228.0/22T, 66.248.200.0/22T, 208.109.0.0/22T, 2a02:fe80::/29T

Note: If you run into issues with the IPv6 addresses (2a02:fe80::/29), and you do not have any IPv6 addresses assigned to your hosting, you should remove those lines from any directive.

Back to top

More info