8. Author IP


The Mollom XML-RPC API interface has been deprecated, and is included here for archival purposes.

To develop clients and services that connect to Mollom, use the Mollom REST API.

The content author's IP address (not the hostname) needs to be included with many API calls. The 'author_ip' parameter is optional, but it can drastically improve Mollom's results.

When moderating or editing a content, the client should send the IP address of the original poster, not the moderator's. If the original IP address is no longer known, 'author_ip' should not be specified.

Sending the correct IP address is key, and non-trivial. Care needs to be taken to do it right. It is important to send the visitor's actual IP address and not that of a reverse proxy.

The REMOTE_ADDR HTTP variable holds the visitor's IP in most situations.

The HTTP_X_FORWARDED_FOR HTTP header will hold the visitor's IP when running behind a reverse proxy (such as Squid), since the REMOTE_ADDR HTTP variable will contain the reverse proxy's IP address.

The HTTP_X_CLUSTER_CLIENT_IP HTTP header may hold the visitor's IP when running on a cluster setup.

Both HTTP_X_FORWARDED_FOR and HTTP_X_CLUSTER_CLIENT_IP can be spoofed; those header values should not be trusted unless they are guaranteed to come from a reverse proxy.

To see example PHP code, you may consult the ip_address() function in Drupal core. You will recognize that it does not use the unsafe HTTP headers unless a site administrator has explicitly enabled Drupal's reverse proxy configuration setting.