Wrong IP is logged with Roundcube behind a proxy (X-Real-IP or/and X-Forwarded-For)

[remoteclient]

Thank you for your Plugin. As you can see in this commit logs look different if roundcube instance runs behind load balancer / reverse proxy. As a result fail2ban will fail to block authentication attempts. (Relevant discussion here)

[mattrude]

We can either add the new config options to the README file or, create a new fail2ban/filter.d/roundcube.conf file with these changes. Haven't decided yet, what do you think?

[remoteclient]

I just wanted to point out that behind load balancers / ssl proxies different ip addresses exist. the first on is the proxy and the second on the ip from where the request originates. Your plugin only logs the proxy ip when its behind one and so attackers can't be banned. I changed your code to something like this on my server:

  function log($args)
  {
    $remote_addr = !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
    #$log_entry = '[roundcube] FAILED login for ' .$args['user']. ' from ' .getenv('REMOTE_ADDR');
    $log_entry = '[roundcube] FAILED login for ' .$args['user']. ' from ' .$remote_addr;
    $log_config = rcmail::get_instance()->config->get('log_driver');
    $log_dir = rcmail::get_instance()->config->get('log_dir');

    if ($log_config == 'syslog'){
       syslog(LOG_WARNING, $log_entry);
    } elseif ($log_config == 'file'){
       error_log('['.date('d-M-Y H:i:s O')."]: ".$log_entry."\n", 3, $log_dir."/userlogins");
    } else {
       echo 'WARNING!! The RoundCube Fail2Ban Plugin was unable to retrieve the log driver from the config, please check your config file for log_driver.';
    }
  }

I did not cover the X-Real-IP as I don't need it. An improvement would be to have a seperate confic.inc.inc where someone could set the headers to log.