Most paypal payments do not check if the confirm comes actually from a paypal server. So "we" added a check to ensure that only paypal can update the order. The problems appear if you use a reverse proxy. So when paypal connects your shop, then your shop is behind the proxy (not the client like a normal proxy). So vm gets not the client Ip, vm gets the internal IP of the server, usually 127.0.0.1 and therefore the IP validation fails.
The core is almost the same as vm2.6.14, the difference is now only that I added an extra config setting, so that people using a reverse proxy, cdn, loadbalancer or similar can enter the variable of their reverse_proxy.
Here is a simple explanation
http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/ or look here
http://nginx.com/resources/admin-guide/reverse-proxy/ and there you can see the problem
location /some/path/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8000;
}
in this case the right variable is X-Real-IP, despite the fact that X_FORWARDED_FOR is the convention, the reason it is a "defacto" convention, because a lot people use it, but not anyone. Additionally to that, it could be that, if you use X-Real-IP, that php wants X_REAL_IP. I must admit I know about that only theoretically and never configured it myself.
There is maybe a simple method to find the server variable. Just use somewhere in a layout or so
vmdebug('My server variable',$_SERVER);