Add Support for CloudFlare's CF-Connecting-IP Header for Checking IP Bans?

[mkoch227]

When submitting a ticket through a system that uses CloudFlare, the IP address ($_SERVER['REMOTE_ADDR']) returns the cloudflare IP that the user connected to and not the actual user's IP, unless their server has the mod_cloudflare Apache module installed. In order to adequately check to see if the user's IP is banned, HESK should check for the IP address returned from the CF-Connecting-IP HTTP header (if it exists), and then $_SERVER['REMOTE_ADDR'].

An alternative would be to instruct users to install the mod_cloudflare Apache module, however some shared hosts may not allow users to do this on their own.

[Klemen]

Shouldn't be hard to add.

However, the problem with extra headers is they are extremely easy to fake. If there is a CF-Connecting-IP header present there is no guarantee at all that the request is really from CloudFlare. An attacker on a server not using CloudFlare could easily add an CF-Connecting-IP header (set to a random IP) to the HTTP requests and hide the real IP address.

If it's added it should be added as a optional setting, so it can be enabled manually only on servers that use CF.