Skip to content

Commit

Permalink
Fix issue #907 and add header_ips configuration setting
Browse files Browse the repository at this point in the history
  • Loading branch information
@narfbg
narfbg committed Jan 10, 2012
1 parent e9a5a86 commit 5e052f5
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 88 deletions.
123 changes: 60 additions & 63 deletions application/config/config.php
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/**
* CodeIgniter
*
* An open source application development framework for PHP 5.1.6 or newer
*
* NOTICE OF LICENSE
*
*
* Licensed under the Academic Free License version 3.0
*
*
* This source file is subject to the Academic Free License (AFL 3.0) that is
* bundled with this package in the files license_afl.txt / license_afl.rst.
* It is also available through the world wide web at this URL:
Expand Down Expand Up @@ -37,7 +37,6 @@
|
| If this is not set then CodeIgniter will guess the protocol, domain and
| path to your installation.
|
*/
$config['base_url'] = '';

Expand All @@ -49,7 +48,6 @@
| Typically this will be your index.php file, unless you've renamed it to
| something else. If you are using mod_rewrite to remove the page set this
| variable so that it is blank.
|
*/
$config['index_page'] = 'index.php';

Expand All @@ -59,15 +57,14 @@
|--------------------------------------------------------------------------
|
| This item determines which server global should be used to retrieve the
| URI string. The default setting of 'AUTO' works for most servers.
| URI string. The default setting of 'AUTO' works for most servers.
| If your links do not seem to work, try one of the other delicious flavors:
|
| 'AUTO' Default - auto detects
| 'PATH_INFO' Uses the PATH_INFO
| 'QUERY_STRING' Uses the QUERY_STRING
| 'REQUEST_URI' Uses the REQUEST_URI
| 'ORIG_PATH_INFO' Uses the ORIG_PATH_INFO
|
*/
$config['uri_protocol'] = 'AUTO';

Expand All @@ -81,7 +78,6 @@
|
| http://codeigniter.com/user_guide/general/urls.html
*/

$config['url_suffix'] = '';

/*
Expand All @@ -92,7 +88,6 @@
| This determines which set of language files should be used. Make sure
| there is an available translation if you intend to use something other
| than english.
|
*/
$config['language'] = 'english';

Expand All @@ -105,7 +100,6 @@
| that require a character set to be provided.
|
| See http://php.net/htmlspecialchars for a list of supported charsets.
|
*/
$config['charset'] = 'UTF-8';

Expand All @@ -115,47 +109,41 @@
|--------------------------------------------------------------------------
|
| If you would like to use the 'hooks' feature you must enable it by
| setting this variable to TRUE (boolean). See the user guide for details.
|
| setting this variable to TRUE (boolean). See the user guide for details.
*/
$config['enable_hooks'] = FALSE;


/*
|--------------------------------------------------------------------------
| Class Extension Prefix
|--------------------------------------------------------------------------
|
| This item allows you to set the filename/classname prefix when extending
| native libraries. For more information please see the user guide:
| native libraries. For more information please see the user guide:
|
| http://codeigniter.com/user_guide/general/core_classes.html
| http://codeigniter.com/user_guide/general/creating_libraries.html
|
*/
$config['subclass_prefix'] = 'MY_';


/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify with a regular expression which characters are permitted
| within your URLs. When someone tries to submit a URL with disallowed
| within your URLs. When someone tries to submit a URL with disallowed
| characters they will get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';


/*
|--------------------------------------------------------------------------
| Enable Query Strings
Expand All @@ -164,7 +152,7 @@
| By default CodeIgniter uses search-engine friendly segment based URLs:
| example.com/who/what/where/
|
| By default CodeIgniter enables access to the $_GET array. If for some
| By default CodeIgniter enables access to the $_GET array. If for some
| reason you would like to disable it, set 'allow_get_array' to FALSE.
|
| You can optionally enable standard query string based URLs:
Expand All @@ -179,12 +167,11 @@
| Please note that some of the helpers won't work as expected when
| this feature is enabled, since CodeIgniter is designed primarily to
| use segment based URLs.
|
*/
$config['allow_get_array'] = TRUE;
$config['allow_get_array'] = TRUE;
$config['enable_query_strings'] = FALSE;
$config['controller_trigger'] = 'c';
$config['function_trigger'] = 'm';
$config['function_trigger'] = 'm';
$config['directory_trigger'] = 'd'; // experimental not currently in use

/*
Expand All @@ -193,7 +180,7 @@
|--------------------------------------------------------------------------
|
| If you have enabled error logging, you can set an error threshold to
| determine what gets logged. Threshold options are:
| determine what gets logged.
| You can enable error logging by setting a threshold over zero. The
| threshold determines what gets logged. Threshold options are:
|
Expand All @@ -204,12 +191,11 @@
| 4 = All Messages
|
| You can also pass in a array with threshold levels to show individual error types
|
|
| array(2) = Debug Messages, without Error Messages
|
| For a live site you'll usually only enable Errors (1) to be logged otherwise
| your log files will fill up very fast.
|
*/
$config['log_threshold'] = 0;

Expand All @@ -220,7 +206,6 @@
|
| Leave this BLANK unless you would like to set something other than the default
| application/logs/ folder. Use a full server path with trailing slash.
|
*/
$config['log_path'] = '';

Expand All @@ -231,7 +216,6 @@
|
| Each item that is logged has an associated date. You can use PHP date
| codes to set your own date formatting
|
*/
$config['log_date_format'] = 'Y-m-d H:i:s';

Expand All @@ -242,7 +226,6 @@
|
| Leave this BLANK unless you would like to set something other than the default
| system/cache/ folder. Use a full server path with trailing slash.
|
*/
$config['cache_path'] = '';

Expand All @@ -253,10 +236,9 @@
|
| If you use the Encryption class or the Session class you
| MUST set an encryption key. See the user guide for info.
|
|
| http://codeigniter.com/user_guide/libraries/encryption.html
| http://codeigniter.com/user_guide/libraries/sessions.html
|
*/
$config['encryption_key'] = '';

Expand All @@ -266,17 +248,17 @@
|--------------------------------------------------------------------------
|
| 'sess_cookie_name' = the name you want for the cookie
| 'sess_expiration' = the number of SECONDS you want the session to last.
| by default sessions last 7200 seconds (two hours). Set to zero for no expiration.
| 'sess_expiration' = the number of SECONDS you want the session to last.
| by default sessions last 7200 seconds (two hours).
| Set to zero for no expiration.
| 'sess_expire_on_close' = Whether to cause the session to expire automatically
| when the browser window is closed
| when the browser window is closed
| 'sess_encrypt_cookie' = Whether to encrypt the cookie
| 'sess_use_database' = Whether to save the session data to a database
| 'sess_table_name' = The name of the session database table
| 'sess_match_ip' = Whether to match the user's IP address when reading the session data
| 'sess_table_name' = The name of the session database table
| 'sess_match_ip' = Whether to match the user's IP address when reading the session data
| 'sess_match_useragent' = Whether to match the User Agent when reading the session data
| 'sess_time_to_update' = how many seconds between CI refreshing Session Information
|
*/
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
Expand All @@ -295,13 +277,12 @@
|
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path' = Typically will be a forward slash
| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
|
| 'cookie_path' = Typically will be a forward slash
| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
*/
$config['cookie_prefix'] = "";
$config['cookie_domain'] = "";
$config['cookie_path'] = "/";
$config['cookie_prefix'] = '';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;

/*
Expand All @@ -310,8 +291,7 @@
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
| COOKIE data is encountered.
*/
$config['global_xss_filtering'] = FALSE;

Expand Down Expand Up @@ -341,17 +321,16 @@
| Output Compression
|--------------------------------------------------------------------------
|
| Enables Gzip output compression for faster page loads. When enabled,
| Enables Gzip output compression for faster page loads. When enabled,
| the output class will test whether your server supports Gzip.
| Even if it does, however, not all browsers support compression
| so enable only if you are reasonably sure your visitors can handle it.
|
| VERY IMPORTANT: If you are getting a blank page when compression is enabled it
| VERY IMPORTANT: If you are getting a blank page when compression is enabled it
| means you are prematurely outputting something to your browser. It could
| even be a line of whitespace at the end of one of your scripts. For
| even be a line of whitespace at the end of one of your scripts. For
| compression to work, nothing can be sent before the output buffer is called
| by the output class. Do not 'echo' any values with compression enabled.
|
| by the output class. Do not 'echo' any values with compression enabled.
*/
$config['compress_output'] = FALSE;

Expand All @@ -364,37 +343,55 @@
| your server's local time as the master 'now' reference, or convert it to
| GMT. See the 'date helper' page of the user guide for information
| regarding date handling.
|
*/
$config['time_reference'] = 'local';


/*
|--------------------------------------------------------------------------
| Rewrite PHP Short Tags
|--------------------------------------------------------------------------
|
| If your PHP installation does not have short tag support enabled CI
| can rewrite the tags on-the-fly, enabling you to utilize that syntax
| in your view files. Options are TRUE or FALSE (boolean)
|
| in your view files. Options are TRUE or FALSE (boolean)
*/
$config['rewrite_short_tags'] = FALSE;


/*
|--------------------------------------------------------------------------
| Reverse Proxy IPs
| Override REMOTE_ADDR
|--------------------------------------------------------------------------
|
| If your server is behind a reverse proxy, you must whitelist the proxy IP
| addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR
| header in order to properly identify the visitor's IP address.
| Comma-delimited, e.g. '10.0.1.200,10.0.1.201'
| Those are useful if you have clients accessing your application through a
| proxy or if the server itself is behind a firewall/proxy. In those cases
| REMOTE_ADDR can appear to always be the same for either a specific group
| of clients or all of them.
|
| Headers used to get the client IP are (if available; first to last order):
| - HTTP_X_FORWARDED_FOR
| - HTTP_CLIENT_IP
| - HTTP_X_CLUSTER_CLIENT_IP
|
| 'proxy_ips' = Specifies a whilelist of trusted proxy IP addresses for
| which to enable overriding. Mostly useful if you have a
| group of clients using a trusted proxy. This setting
| doesn't depend on 'header_ips' and will work even if it's
| disabled. Can be set to:
| (array) each element must be a valid IP address
| e.g. array('10.0.1.200', '10.0.1.201');
| (string) a comma-separated list of IP addresses
| e.g. '10.0.1.200,10.0.1.201'
|
| 'header_ips' = Whether to always enable overriding of REMOTE_ADDR.
| TRUE to enable
| FALSE to disable (default)
|
| WARNING: Enabling 'header_ips' causes a potential
| security risk! Do NOT set to TRUE unless you
| are certain that you need to!
*/
$config['proxy_ips'] = '';

$config['proxy_ips'] = array();
$config['header_ips'] = FALSE;

/* End of file config.php */
/* Location: ./application/config/config.php */
Loading

0 comments on commit 5e052f5

Please sign in to comment.