HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

How to keep my users save.

edited May 2016 in Vanilla 2.0 - 2.8

Hello, my name is Mohammad, I don't want to give too much info about what I'm doing due to the fear of the death penalty, but I and a group of people are wanting to open a website to fight against Saudi Arabia government. We would like to use VanillaForums for the website itself but we don't have any idea how to stop vanilla forums from logging IPS or any other info that could give the locations of the users or admins if the server itself was a raid by the government or hack.

Comments

  • R_JR_J Ex-Fanboy Munich Admin

    If you create a file /conf/bootstrap.before.php and write following contents in it, you should be able to mask all IP addresses and Vanilla will always use that false one:

    <?php
    $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
    

    Given that the background of this question is very severe, I would ask more people. Maybe you can also ask on reddits phphelp group.

    But please don't forget that your http server also logs IP addresses. Only preventing Vanilla from collecting this information can't be enough.

    I wish you all the best with your project!


    BleistivtMohammadHIhgtonightShadowdare
  • @R_J said:
    If you create a file /conf/bootstrap.before.php and write following contents in it, you should be able to mask all IP addresses and Vanilla will always use that false one:

    <?php
    $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
    

    Given that the background of this question is very severe, I would ask more people. Maybe you can also ask on reddits phphelp group.

    But please don't forget that your http server also logs IP addresses. Only preventing Vanilla from collecting this information can't be enough.

    I wish you all the best with your project!

    Thanks for the advice.

  • R_JR_J Ex-Fanboy Munich Admin

    There are more server variables that you might want to change:

    HTTP_X_ORIGINALLY_FORWARDED_FOR
    HTTP_X_CLUSTER_CLIENT_IP
    HTTP_X_FORWARDED_FOR
    HTTP_CLIENT_IP
    REMOTE_ADD

    But as I've said before: you might get better help in a forum/discussion group that is not focused on one special php script.


    MohammadHI
  • @R_J said:
    There are more server variables that you might want to change:

    HTTP_X_ORIGINALLY_FORWARDED_FOR
    HTTP_X_CLUSTER_CLIENT_IP
    HTTP_X_FORWARDED_FOR
    HTTP_CLIENT_IP
    REMOTE_ADD

    But as I've said before: you might get better help in a forum/discussion group that is not focused on one special php script.

    Would I do it like this:
    <?php
    $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
    $_SERVER['HTTP_X_ORIGINALLY_FORWARDED_FOR'] = '127.0.0.1';
    $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] = '127.0.0.1';
    $_SERVER['HTTP_X_FORWARDED_FOR'] = '127.0.0.1';
    $_SERVER['HTTP_CLIENT_IP'] = '127.0.0.1';
    $_SERVER['REMOTE_ADD'] = '127.0.0.1';

    Any other variables I should add?
    Thanks again for the help!

  • R_JR_J Ex-Fanboy Munich Admin

    As far as I have seen, this server variables seem to be the only ones that are used for determining the visitors IP in Vanilla.

    Concerning logs of the server, you could start with this article: https://yawnbox.com/index.php/2012/07/27/sop-for-disabiling-ip-address-logging/


    MohammadHI
  • @R_J said:
    As far as I have seen, this server variables seem to be the only ones that are used for determining the visitors IP in Vanilla.

    Concerning logs of the server, you could start with this article: https://yawnbox.com/index.php/2012/07/27/sop-for-disabiling-ip-address-logging/

    K, thanks.

  • x00x00 MVP
    edited May 2016

    if you are waiting until you are getting to web application level it is already too late. IPs are already supplied and logged at various stages.

    The safest thing for your users is for them to access your site through a proxy, which might be pertinent if the site is hosted outside SA and could be easily blocked.

    If you want to be really sophisticated is use dark web/ techniques and not have your site located anywhere in particular but communicate in federation, with a more suitable protocol.

    However this is not great for non-technical users, and I'm guessing you want a certain overtness to put external pressure in SA.

    grep is your friend.

    BleistivtMohammadHI
  • I would provide information on how to use a proxies, like Tor.

    grep is your friend.

    MohammadHI
  • @x00 said:
    I would provide information on how to use a proxies, like Tor.

    K, thanks.

Sign In or Register to comment.