Multi-layer proxy obtains the real IP Address

There are bugs in the so-called "getting real IP addresses" method on the Internet, but the multi-layer transparent proxy is not taken into account. Majority Code Similar to: String IPaddress = (httpcontext. Current. Request. servervariables ["http_x_forwarded_for"]! = NULL & httpcontext. Current. Request. servervariables ["http_x_forwarded_for"]! = String. Empty )? Httpcontext. current. request. servervariables ["http_x_forwarded_for"]: httpcontext. current. request. servervariables ["remote_addr"]; in fact, the above Code only tries to use a layer-1 proxy with the user. if the user has two layers, the value of layer-3 http_x_forwarded_for is: "Local real IP address, layer-1 proxy IP address, layer-2 proxy IP address ,..... ", if the length of the IP field stored in your data is very small (15 bytes), the database reports an error. In practice, there are few users who use multi-layer transparent proxy. In other cases, more and more websites are using proxy acceleration. For example, Sina and Sohu news all use squid as proxy and use multiple servers for traffic distribution. Squid itself is similar to a transparent proxy and will send "http_x_forwarded_for". http_x_forwarded_for includes the customer's IP address. If the customer already uses a transparent proxy Program The obtained "http_x_forwarded_for" includes two IP addresses. (I have met three IP addresses, but I have never met four IP addresses.) in this way, we should also judge whether "," is included in "http_x_forwarded_for, or whether the length is too long (more than 15 bytes XXX. xxx. xxx. XXX ). Therefore, the code should be as follows:/** // <summary> // obtain the real IP address of the client. If a proxy exists, take the first non-Intranet address /// </Summary> Public static string IPaddress {get {string result = string. empty; Result = httpcontext. current. request. servervariables ["http_x_forwarded_for"]; If (result! = NULL & result! = String. empty) {// There may be proxy if (result. indexof (". ") =-1) // No". "Certainly not IPv4 format result = NULL; else {If (result. indexof (",")! =-1) {// There are ",". Multiple proxies are estimated. Obtain the first IP address that is not an intranet IP address. Result = result. replace ("",""). replace ("'", ""); string [] temparyip = result. split (",;". tochararray (); For (INT I = 0; I <temparyip. length; I ++) {If (text. isipaddress (temparyip [I]) & temparyip [I]. substring (0, 3 )! = "10." & temparyip [I]. substring (0, 7 )! = "192.168" & temparyip [I]. substring )! = "1. 172.16. ") {return temparyip [I]; // find a non-Intranet address }}} else if (text. isipaddress (result) // The proxy is the return result in the IP Format; else result = NULL; // the content in the proxy is not an IP address, take IP} string IPaddress = (httpcontext. current. request. servervariables ["http_x_forwarded_for"]! = NULL & httpcontext. Current. Request. servervariables ["http_x_forwarded_for"]! = String. Empty )? Httpcontext. current. request. servervariables ["http_x_forwarded_for"]: httpcontext. current. request. servervariables ["remote_addr"]; If (null = Result | result = string. empty) Result = httpcontext. current. request. servervariables ["remote_addr"]; If (result = NULL | result = string. empty) Result = httpcontext. current. request. userhostaddress; return result;} disadvantages of "http_x_forwarded_for. Http_x_forwarded_for is part of the HTTP header and does not affect TCP communication. In other words, the client can actually send http_x_forwarded_for any content, which is a counterfeit IP address. The simplest is the IP address record of the web program, which was originally intended to record the real IP address. Instead, it was cheated by hackers. When your application records the client's access IP address, denies or permits access from some IP addresses, error logs may occur, or even kill by mistake. Therefore, the necessary security logs should record the complete "http_x_forwarded_for" (at least 3*15 + 2 bytes are allocated to the fields in the database to record at least 3 IP addresses) and "remote_addr ". It is also essential to check the IP Format of http_x_forwarded_for. Appendix: (text is a custom class. isipaddress is one of the methods used to determine whether it is an IP address format.) # region bool isipaddress (str1) determine whether the IP Format is/** // <summary> // determine whether the IP address format is 0.0.0.0 // </Summary> /// <Param name = "str1"> IP address to be determined </param> /// <returns> true or false </returns> Public static bool isipaddress (string str1) {If (str1 = NULL | str1 = string. empty | str1.length <7 | str1.length> 15) return false; string regformat = @ "^/d {1, 3} [/.] /d {1, 3} [/.] /d {1, 3} [/.] /d {1, 3} $ "; RegEx = new RegEx (regformat, regexoptions. ignorecase); Return RegEx. ismatch (str1) ;}# endregion