php-Client IP address forgery, CDN, reverse proxy, access to the thing

Source: Internet
Author: User
Tags php server

The external java/php server-side acquisition client IP is the same: pseudo-code:1) IP = Request.getheader (" x-forwarded-for") can be forged, refer to Appendix A 2) If the value is empty or the array length is 0 or equal to "unknown", then:IP = request.getheader ("Proxy-client-ip")3) If the value is empty or the array length is 0 or equal to "unknown", then:IP = request.getheader ("Wl-proxy-client-ip")4) If the value is empty or the array length is 0 or equal to "unknown", then:IP = request.getheader ("http_client_ip") can be forged5) If the value is empty or the array length is 0 or equal to "unknown", then:IP = Request. getremoteaddr () for anonymous proxy servers, you can hide the original IP, refer to Appendix B This is because there are many kinds of network structure, such as Nginx+resin, Apache+weblogic, Squid+nginx. Let's talk about asked below. first, make it clear that the Nginx configuration is generally as follows:Location/{
Proxy_pass http://yourdomain.com;
Proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}look at the red font, these configurations are related to the following to get the IP.  ——————————————————————————————— --First Pass | X-forwarded-for: background--This is a Squid development field, not an RFC standard. Referred XFF Header , this item is added only if the HTTP proxy or Load balancer server is passed. A detailed description of the item can be found in the Squid development documentation. The XFF format is as follows: X-forwarded-for:client1, Proxy1, Proxy2 can be seen, XFF header information can have more than one, separated by commas, the first is the real client IP, the remaining is the agent or Load Balancer server IP address. --First Pass | X-forwarded-for: Scene = client--cdn--nginx--When a user requests a CDN to reach the Nginx load Balancer Server, its XFF header information should be "client IP,CDN IP". In general, CDN service providers will block the CDN IP for their own security, leaving only the client IP. Then the request head arrives at Nginx:
    • By default, Nginx does not do any processing on the XFF header
      • At this time the resin/apache/tomcat behind the Nginx through Request.getheader ("X-forwarded-for") the IP is still the original IP.
    • When the Nginx setting x-forwarded-for equals $proxy _add_x_forwarded_for:
      • If the request from the CDN does not set the XFF header (usually this does not happen), theXFF header is the IP of the CDN
        • At this point, compared to Nginx, the client is the CDN
      • If the CDN set the XFF header, we set it again here, and the value is $proxy_add_x_forwarded_for:
        • The XFF header is "Client Ip,nginx load Balancer server IP", so take the first value
        • This is a common scenario for everyone!
In summary, XFF head in the scene, Resin through Request.getheader ("x-forwarded-for") to obtain the IP string, do a split, the first element is the original IP. So, can the XFF head be forged? --First Pass | X-forwarded-for: Forgery-- can be forged. XFF Head is only one of the elements in the HTTP Headers, it is natural that you can delete and modify it arbitrarily. As shown in Appendix A. Many polling systems have this vulnerability, which simply takes the IP address defined in the XFF header to the source address, so that a third party can forge any IP votes. ——————————————————————————————— --second and third pass | proxy-client-ip/wl- Proxy-client-ip : background--The Proxy-client-ip field and the Wl-proxy-client-ip field appear only in Apache (Weblogic plug-in Enable) +weblogic, where "WL" is the abbreviation for Weblogic. That is, the access path is:
Client--Apache WebServer + Weblogic http plugin-Weblogic Instances
So these two levels for us is only compatible, afraid you suddenly change nginx+resin to Apache+weblogic. You can also ignore these two fields directly. ——————————————————————————————— --Fourth off | Http-client-ip : background--HTTP_CLIENT_IP is the HTTP header sent by the proxy server. In many cases the Nginx configuration does not have the following:
proxy_set_header http_client_ip $remote _addr;
So this can also be ignored. Zheng:——————————————————————————————— --Fifth off | request.getremoteaddr (): background--see from the definition of the REQUEST.GETREMOTEADDR () function:Returns the Internet Protocol (IP) address of the client or last proxy that sent the request.In fact, REMOTE_ADDR is the IP of the client when it "shakes" with the server, but if "anonymous proxy" is used, REMOTE_ADDR will display the IP of the proxy server or the IP of the last proxy server.  Please refer to Appendix B. In conclusion, The IP address you get in java/php may be a fake or proxy server IP.   Zheng : + + + Appendix A XFF with Nginx configuration test Cases + + +Test environment: Nginx+resin
Intranet ip:172.16.100.10
Client ip:123.123.123.123

Test page: test.jsp
<%
Out.println ("x-forwarded-for:" + request.getheader ("x-forwarded-for"));
OUT.PRINTLN ("Remote hosts:" + request.getremoteaddr ());
%>

nginx Configuration One proxy_set_header x-real-ip $remote _addr;proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for; wget test wget-o aa--header= "x-forwarded-for:192.168.0.1" "http://test.com/test.jsp" page return results: x-forwarded-for: 192.168.0.1, 123.123.123.123remote hosts:172.16.100.10 Curl Test Curl-h "x-forwarded-for:192.168.0.1" "http://test.com/ Test.jsp "x-forwarded-for:192.168.0.1, 123.123.123.123remote hosts:172.16.100.10

Nginx Configuration Two
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;

wget test:
Wget-o aa--header= "x-forwarded-for:192.168.0.1" "http://test.com/test.jsp"
Page return results:
X-forwarded-for:123.123.123.123
Remote hosts:172.16.100.10

Curl Test
Curl-h "x-forwarded-for:192.168.0.1" "http://test.com/test.jsp"
X-forwarded-for:123.123.123.123
Remote hosts:172.16.100.10

Test results:
1, configuration Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Added a real IP x-forwarded-for, and the order was added to the "back".

2, configuration Proxy_set_header x-forwarded-for $remote _addr;
Cleared the client to forge the incoming x-forwarded-for,
Ensure that the IP obtained using Request.getheader ("X-forwarded-for") is a real IP,
or use "," to separate and intercept the last value of x-forwarded-for. + + + Appendix B test Cases for Sogou browser high-speed mode + + +Access path: Sogou browser "high-speed" mode (that is, using the proxy)-->lvs-->apache obtained the value is: x-forwarded-for:180.70.92.43 (that is, real IP) Proxy-client-ip: Nullwl-proxy-client-ip:null getremoteaddr:123.126.50.185 (that is, Sogou proxy IP) XXX reference resources: XXX1,http://bbs.linuxtone.org/thread-9050-1-1.html2,http://hi.baidu.com/thinkinginlamp/item/ E2cf05263eb4d18e6e2cc3e63,http://bbs.chinaunix.net/thread-3659453-1-1.html Turn from: http://www.cnblogs.com/zhengyun_ Ustc/archive/2012/09/19/getremoteaddr.html

php-Client IP address forgery, CDN, reverse proxy, access to the thing

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.