E-commerce issues: Client IP address forgery, CDN, reverse proxy, and Acquisition

20120917 @ Zheng yu Summary

The common Java/PHP server obtains the Client IP address as follows: PseudoCode: 1) IP = request. getheader (" X-FORWARDED-FOR") Forge. See Appendix. 2) If the value is null or the array length is 0 or equal"Unknown", Then: IP = request. getheader ("Proxy-client-IP") 3) if this valueNullOr the array length is 0.Or equal"Unknown", Then: IP = request. getheader ("WL-proxy-client-IP") 4) if this value Null Or the array length is 0. Or equal " Unknown " , Then: IP = request. getheader ("Http_client_ip") Forge 5) if this value is null Or the array length is 0. Or equal to "unknown " , Then: IP = request. Getremoteaddr() For anonymous proxy servers, the original IP address can be concealed. See Appendix B.   This problem is caused by many network structures, such as nginx + resin, Apache + WebLogic, and squid + nginx. Let's talk about it one by one. Zheng : △ First, make it clear that the nginx configuration is generally as follows: location/{
proxy_pass http://yourdomain.com;
proxy_set_header host $ host;
proxy_set_header X-real-IP $ remote_addr;
proxy_set_header X-forwarded-for $ proxy_add_x_forwarded_for;
} Pay attention to the red font. These configurations are related to the IP address in the following section.   ------------------------------- -- Level 1 | X-forwarded-for: background -- This is a field developed by squid, not the RFC standard. Abbreviation   XFF Header This option is added only when the HTTP proxy or Server Load balancer is passed. You can find the detailed description of this item in the squid development document. The xFF format is as follows: X-forwarded-for: Client1, proxy1, proxy2 It can be seen that there can be multiple xFF header information, separated by commas in the middle. The first item is the real client IP address, and the rest is the IP address of the proxy or Server Load balancer server. -- Level 1 | X-forwarded-for: Scenario = client -- CDN -- nginx -- When a user request arrives at the nginx Server Load balancer after passing through CDN, The xFF header information should be "Client IP address, cdn ip Address ". Generally, the CDN service provider will block the cdn ip address and only retain the Client IP address for security reasons. When the request header reaches nginx:

• by default, nginx does not process the xFF header
• in this case, the resin/Apache/tomcat following nginx uses request. getheader (" X-FORWARDED-FOR ") the obtained IP address is still the original IP address .
• when nginx sets X-forwarded-for to $ proxy_add_x_forwarded_for, :
• if no xFF header is set for a request from CDN (this usually does not happen), the xFF header is the cdn ip address
• compared with nginx, the client is CDN
• If the xFF header is set for CDN, we set it again here and the value is $ proxy_add_x_forwarded_for:
• the xFF header is "Client IP address, nginx Server Load balancer IP Address" , so that the first value can be obtained.
• This is a common scenario!

To sum up, in the scenario where the xFF header is located, resin passes Request. getheader (" X-FORWARDED-FOR ") The obtained IP string is split. The first element is the original IP address. Can the xFF header be forged? -- Level 1 | X-forwarded-for: forged -- It can be forged. The xFF header is only a part of HTTP headers and can be added, deleted, and modified at will. See Appendix. Many voting systems have this vulnerability. They simply set the IP addresses defined in the xFF header as source addresses, so a third party can forge any IP address to vote. ------------------------------- -- Level 2 and level 3 | proxy-client-IP/wl- Proxy-client-IP : Background -- The proxy-client-IP field and WL-proxy-client-IP field appear only in the combination of Apache (WebLogic plug-in enable) and weblogic. "WL" is the abbreviation of weblogic. That is, the access path is:

Client-> Apache webserver + WebLogic HTTP Plugin-> WebLogic instances

Therefore, these two links are only compatible for us. We are afraid that you will suddenly replace nginx + resin with Apache + weblogic. You can also ignore these two fields. ------------------------------- -- Level 4 | http-client-IP : Background -- Http_client_ip is the HTTP header sent by the proxy server. In many cases, nginx configuration does not include the following:

Proxy_set_header http_client_ip $ remote_addr;

Therefore, this parameter can be ignored. Zheng   : △ ------------------------------- -- Level 5 | request. getremoteaddr (): background -- Slave For the definition of the request. getremoteaddr () function, see: Returns the Internet Protocol (IP) address of the client or last proxy that sent the request.

In fact, remote_addr is the IP address when the client shakes hands with the server. However, if "anonymous proxy" is used, remote_addr displays the IP address of the proxy server or the IP address of the last proxy server. See Appendix B.

To sum up, The IP addresses obtained in Java/PHP may be forged or proxy server IP addresses.   Zheng : △ +++ Appendix A xFF and nginx configuration test cases +++ Test environment: nginx + Resin
Intranet IP Address: 172.16.100.10
Client IP: 123.123.123.123

Test page: Test. jsp
<%
Out. println ("X-forwarded-for:" + request. getheader ("X-forwarded-"));
Out. println ("remote hosts:" + request. getremoteaddr ());
%>

Nginx configure proxy_set_header X-real-IP $ remote_addr; proxy_set_header X-forwarded-for $ proxy_add_x_forwarded_for; wget test wget-O aa -- header = "X-forwarded-: 192.168.0.1 "" http://test.com/test.jsp "Page return results: X-forwarded-for: 192.168.0.1, 123.123.123.123remote hosts: 172.16.100.10 curl test curl-h" X-forwarded-: 192.168.0.1 "" http://test.com/test.jsp "X-forwarded-for: 192.168.0.1, 123.123.123.123remote hosts: 172.16.100.10

Nginx configuration 2
Proxy_set_header X-real-IP $ remote_addr;
Proxy_set_header X-forwarded-for $ remote_addr;
Proxy_set_header X-forwarded-for $ proxy_add_x_forwarded_for;

Wget test:
Wget-O aa -- header = "X-forwarded-for: 192.168.0.1" "http://test.com/test.jsp"
Page return result:
X-forwarded-for: 123.123.123.123
Remote hosts: 172.16.100.10

Curl Test
Curl-h "X-forwarded-for: 192.168.0.1" http://test.com/test.jsp"
X-forwarded-for: 123.123.123.123
Remote hosts: 172.16.100.10

Test results:
1. Configure proxy_set_header X-forwarded-for $ proxy_add_x_forwarded_for;
A real IP address X-forwarded-for is added, and the order is added to the "back ".

2. Configuration

Proxy_set_header X-forwarded-for $ remote_addr;
Cleared the X-forwarded- ,
Ensure that the IP address obtained using request. getheader ("X-forwarded-for") is a real IP address,
Or use commas (,) to separate and intercept the final value of X-forwarded-. +++ Appendix B sogou browser high-speed mode test cases +++ Access path: sogou Browser "high-speed" mode (using proxy) --> LVS --> the value obtained by Apache is: X-forwarded-for: 180.70.92.43 (real IP) proxy-client-IP: nullwl-proxy-client-IP: NULL getremoteaddr: 123.126.50.185 (sogou proxy IP) ××× Reference resource: ××× 1, http://bbs.linuxtone.org/thread-9050-1-1.html2,http://hi.baidu.com/thinkinginlamp/item/e2cf05263eb4d18e6e2cc3e63,http://bbs.chinaunix.net/thread-3659453-1-1.html gift Diagram 2: