Get client IP, HTTP_CLIENT_IP is a scam?

Get the client IP, a lot of code will take HTTP_CLIENT_IPThe value of the second take HTTP_X_FORWARDED_FOR, the last is REMOTE_ADDR。
For a discussion of this, see: http://www.douban.com/group/topic/27482290/
A good comparison of getting client IP and verifying IP code is what

The following is a summary of what to do after listening to answers
1. The HTTP_CLIENT_IP head is there, but not the standard, not necessarily the server has been implemented.
2. HTTP_X_FORWARDED_FOR There is a standard definition, used to identify HTTP代理 after the client IP address, format: clientip,proxy1,proxy2 . See Http://zh.wikipedia.org/wiki/X-Forwarded-For for a detailed explanation.
3. REMOTE_ADDR is reliable, it is the last to shake hands with your server IP , may be the user's proxy server, may also be their own reverse proxy.
About counterfeiting: The HTTP_* head is easy to forge. For example, using the Firefox plugin to forge the x-forwarded_for IP 8.8.8.8 , when you clear the cookie and then access http://www.58.com, it will think you are 8.8.8.8 coming. Reference: SF on another question about fake IP
A good Get IP code:

function get_client_ip(){    foreach (array(                'HTTP_CLIENT_IP',                'HTTP_X_FORWARDED_FOR',                'HTTP_X_FORWARDED',                'HTTP_X_CLUSTER_CLIENT_IP',                'HTTP_FORWARDED_FOR',                'HTTP_FORWARDED',                'REMOTE_ADDR') as $key) {        if (array_key_exists($key, $_SERVER)) {            foreach (explode(',', $_SERVER[$key]) as $ip) {                $ip = trim($ip);                //会过滤掉保留地址和私有地址段的IP，例如 127.0.0.1会被过滤                //也可以修改成正则验证IP                if ((bool) filter_var($ip, FILTER_VALIDATE_IP,                                FILTER_FLAG_IPV4 |                                FILTER_FLAG_NO_PRIV_RANGE |                                FILTER_FLAG_NO_RES_RANGE)) {                    return $ip;                }            }        }    }    return null;}

Refer to @joyqi ideas, some situations can be considered only get REMOTE_ADDR (PS: generally do not do)

Reply content:

To get the client IP, a lot of code will take HTTP_CLIENT_IP the value, followed by HTTP_X_FORWARDED_FOR , and finally REMOTE_ADDR .
For a discussion of this, see: http://www.douban.com/group/topic/27482290/
A good comparison of getting client IP and verifying IP code is what

The following is a summary of what to do after listening to answers
1. The HTTP_CLIENT_IP head is there, but not the standard, not necessarily the server has been implemented.
2. HTTP_X_FORWARDED_FOR There is a standard definition, used to identify HTTP代理 after the client IP address, format: clientip,proxy1,proxy2 . See Http://zh.wikipedia.org/wiki/X-Forwarded-For for a detailed explanation.
3. REMOTE_ADDR is reliable, it is the last to shake hands with your server IP , may be the user's proxy server, may also be their own reverse proxy.
About counterfeiting: The HTTP_* head is easy to forge. For example, using the Firefox plugin to forge the x-forwarded_for IP 8.8.8.8 , when you clear the cookie and then access http://www.58.com, it will think you are 8.8.8.8 coming. Reference: SF on another question about fake IP
A good Get IP code:

function get_client_ip(){    foreach (array(                'HTTP_CLIENT_IP',                'HTTP_X_FORWARDED_FOR',                'HTTP_X_FORWARDED',                'HTTP_X_CLUSTER_CLIENT_IP',                'HTTP_FORWARDED_FOR',                'HTTP_FORWARDED',                'REMOTE_ADDR') as $key) {        if (array_key_exists($key, $_SERVER)) {            foreach (explode(',', $_SERVER[$key]) as $ip) {                $ip = trim($ip);                //会过滤掉保留地址和私有地址段的IP，例如 127.0.0.1会被过滤                //也可以修改成正则验证IP                if ((bool) filter_var($ip, FILTER_VALIDATE_IP,                                FILTER_FLAG_IPV4 |                                FILTER_FLAG_NO_PRIV_RANGE |                                FILTER_FLAG_NO_RES_RANGE)) {                    return $ip;                }            }        }    }    return null;}

Refer to @joyqi ideas, some situations can be considered only get REMOTE_ADDR (PS: generally do not do)

REMOTE_ADDRCan not be forged explicitly, although the IP address can be hidden through the proxy, but this address still has reference value, because it is the actual connection with your server IP address.

In contrast, the first two IP addresses can be forged through HTTP headers, but that doesn't mean they are useless. Many servers in the production environment are hidden behind the load Balancer node, and you REMOTE_ADDR can only get the IP address of the Load Balancer node, and the general Load Balancer node will pass the actual IP address of the front end HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR the two HTTP headers.

The backend then goes to read this value is true and trustworthy, because it is the load Balancer node tells you instead of the client. But when your server is directly exposed to the front of the client, do not trust the two read methods, only need to read REMOTE_ADDR the line

