Real access to client real IP address and pros and cons of the analysis

Real access to client real IP address and pros and cons of the analysis _ practical skills

Last Update:2017-01-19 Source: Internet

Author: User

Tags httpcontext servervariables

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Most code is similar:

Copy Code code as follows:

string ipaddress = (httpcontext.current.request.servervariables["Http_x_forwarded_for"]!=null
&& httpcontext.current.request.servervariables["Http_x_forwarded_for"]!=string.empty)
? httpcontext.current.request.servervariables["Http_x_forwarded_for"]
: httpcontext.current.request.servervariables["REMOTE_ADDR"];

In fact, the above code only trial with the user only use the 1-tier agent, if the user has 2 layers, 3-layer http_x_forwarded_for value is: "This machine real ip,1 layer Agent ip,2 layer agent IP,.....", If the length of the IP field in your data is small (15 bytes), the database will have an error.
In practical applications, there are few such users because of the relatively small number of layers of transparent proxies.
Other applications, now more and more sites using agent acceleration, such as Sina, Sohu News are using squid to do proxy, using multiple servers streaming. Squid itself is similar to transparent agent, will send "Http_x_forwarded_for", http_x_forwarded_for include the customer's IP address, if the customer has already used a layer of transparent agent, then the program to take the "http_x_ Forwarded_for "includes two IP addresses. (I have encountered 3 IP addresses, 4 have not encountered)
So take the "real" IP address, you should also determine whether the "http_x_forwarded_for" in the "," comma, or whether the length is very long (more than 15 bytes xxx.xxx.xxx.xxx).
So the code should be as follows:

Copy Code code as follows:

/**////<summary>
Get the client real IP. If there is an agent, take the first non-intranet address
by flower.b
</summary>
public static string IPAddress
{
Get
{
string result = String.Empty;
result = httpcontext.current.request.servervariables["http_x_forwarded_for"];
if (result!=null&&result!= String.Empty)
{
There may be agents
if (result. IndexOf (".") ==-1)//No "." Definitely not IPV4 format
result = NULL;
Else
{
if (result. IndexOf (",")!=-1)
{
There are ",", estimated multiple agents. Take the first IP that is not intranet.
result = result. Replace ("", ""). Replace ("'", "");
string[] Temparyip = result. Split (",;". ToCharArray ());
for (int i=0;i<temparyip. length;i++)
{
if (Text.isipaddress (Temparyip[i])
&& Temparyip[i]. Substring (0,3)!= "10."
&& Temparyip[i]. Substring (0,7)!= "192.168"
&& Temparyip[i]. Substring (0,7)!= "172.16.")
{
return temparyip[i]; Find an address that is not intranet
}
}
}
else if (text.isipaddress (Result))//proxy is the IP format
return result;
Else
result = NULL; Content in the agent is not IP, take IP
}
}
string ipaddress = (httpcontext.current.request.servervariables["http_x_forwarded_for"]!=null && httpcontext.current.request.servervariables["Http_x_forwarded_for"]!=string.empty)? httpcontext.current.request.servervariables["Http_x_forwarded_for"]: httpcontext.current.request.servervariables["REMOTE_ADDR"];

if (Null = result | | = result = String.Empty)
result = httpcontext.current.request.servervariables["REMOTE_ADDR"];
if (result = = NULL | | result = = String.Empty)
result = HttpContext.Current.Request.UserHostAddress;
return result;
}
}

Take the drawbacks of "http_x_forwarded_for".
Http_x_forwarded_for is part of the header in the HTTP protocol and does not affect TCP traffic. That is to say, the client can actually send any http_x_forwarded_for of content to fake IP. The simplest is the IP record of the Web program, which is to record the real IP, but was "hacker" deception. When your application logs clients ' access to IP, denies or allows partial IP access, error logs can go wrong, or even manslaughter.
Therefore, the necessary security log should record the full "http_x_forwarded_for" (at least 3*15+2 bytes to the field in the database to record at least 3 IP) and "REMOTE_ADDR". The IP format check for http_x_forwarded_for is also essential.
Attached: (Text is my custom class, isipaddress is one of the methods to determine whether the IP address format)

BOOL Isipaddress (STR1) determines whether the IP format #region bool isipaddress (STR1) determines whether it is an IP format

Copy Code code as follows:

/**////<summary>
///Determine if it is an IP address format 0.0.0.0
///</SUMMARY&G T
///<param name= "str1" > IP address to be judged </param>
///<returns>true or false</returns>
Publ IC static bool Isipaddress (string str1)
{
If str1==null| | Str1==string. empty| | Str1. length<7| | Str1. LENGTH>15) return false;
String regformat = @ "^\d{1,3}[\.] \d{1,3}[\.] \d{1,3}[\.] \d{1,3}$ ";
Regex regex = new Regex (regformat,regexoptions.ignorecase);
return regex. IsMatch (STR1);
}
#endregion

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More