Updated the use of REMOTE_ADDR to a function then replaced its use

html/bandwidth-graph.php

@@ -37,7 +37,7 @@ include("../includes/functions.php");
 include("includes/functions.inc.php");
 include("includes/authenticate.inc.php");
 
-if ($_SERVER['REMOTE_ADDR'] != $_SERVER['SERVER_ADDR']) { if (!$_SESSION['authenticated']) { echo("unauthenticated"); exit; } }
+if (get_client_ip() != $_SERVER['SERVER_ADDR']) { if (!$_SESSION['authenticated']) { echo("unauthenticated"); exit; } }
 require_once("includes/jpgraph/src/jpgraph.php");
 require_once("includes/jpgraph/src/jpgraph_line.php");
 require_once("includes/jpgraph/src/jpgraph_bar.php");
@@ -46,7 +46,7 @@ require_once("includes/jpgraph/src/jpgraph_date.php");
 
 if (is_numeric($_GET['bill_id']))
 {
-  if ($_SERVER['REMOTE_ADDR'] != $_SERVER['SERVER_ADDR'])
+  if (get_client_ip() != $_SERVER['SERVER_ADDR'])
   {
     if (bill_permitted($_GET['bill_id']))
     {

html/billing-graph.php

@@ -37,7 +37,7 @@ include("../includes/functions.php");
 include("includes/functions.inc.php");
 include("includes/authenticate.inc.php");
 
-if ($_SERVER['REMOTE_ADDR'] != $_SERVER['SERVER_ADDR']) { if (!$_SESSION['authenticated']) { echo("unauthenticated"); exit; } }
+if (get_client_ip() != $_SERVER['SERVER_ADDR']) { if (!$_SESSION['authenticated']) { echo("unauthenticated"); exit; } }
 require("includes/jpgraph/src/jpgraph.php");
 include("includes/jpgraph/src/jpgraph_line.php");
 include("includes/jpgraph/src/jpgraph_utils.inc.php");
@@ -45,7 +45,7 @@ include("includes/jpgraph/src/jpgraph_date.php");
 
 if (is_numeric($_GET['bill_id']))
 {
-  if ($_SERVER['REMOTE_ADDR'] != $_SERVER['SERVER_ADDR'])
+  if (get_client_ip() != $_SERVER['SERVER_ADDR'])
   {
     if (bill_permitted($_GET['bill_id']))
     {

html/includes/authenticate.inc.php

@@ -28,7 +28,7 @@ dbDelete('session', "`session_expiry` <  ?", array(time()));
 
 if ($vars['page'] == "logout" && $_SESSION['authenticated'])
 {
-  dbInsert(array('user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'Logged Out'), 'authlog');
+  dbInsert(array('user' => $_SESSION['username'], 'address' => get_client_ip(), 'result' => 'Logged Out'), 'authlog');
   dbDelete('session', "`session_username` =  ? AND session_value = ?", array($_SESSION['username'],$_COOKIE['sess_id']));
   unset($_SESSION);
   unset($_COOKIE);
@@ -81,7 +81,7 @@ if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token
       }
       if( !$config['twofactor'] || $_SESSION['twofactor'] ) {
         $_SESSION['authenticated'] = true;
-        dbInsert(array('user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'Logged In'), 'authlog');
+        dbInsert(array('user' => $_SESSION['username'], 'address' => get_client_ip(), 'result' => 'Logged In'), 'authlog');
       }
     }
     if (isset($_POST['remember']))
@@ -113,7 +113,7 @@ if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token
   {
     $auth_message = "Authentication Failed";
     unset ($_SESSION['authenticated']);
-    dbInsert(array('user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'Authentication Failure'), 'authlog');
+    dbInsert(array('user' => $_SESSION['username'], 'address' => get_client_ip(), 'result' => 'Authentication Failure'), 'authlog');
   }
 }
 ?>

html/includes/functions.inc.php

@@ -728,4 +728,13 @@ function demo_account() {
     print_error("You are logged in as a demo account, this page isn't accessible to you");
 }
 
+function get_client_ip() {
+    if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+        $client_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+    } else {
+        $client_ip = $_SERVER['REMOTE_ADDR'];
+    }
+    return $client_ip;
+}
+
 ?>