[Original] tips for Preventing IP Spoofing on community Web pages

Many stable web pages, such as online voting, online Q & A, online surveys, and online lottery, generally use the user's IP address as the limit to limit the number of users with the same IP address to participate in the activity.

There are a lot of code on the Internet that calls for real client IP addresses. Nothing more than checking the proxy to get the so-called "real IP Address ", but is this IP actually "real? I don't think so. This kind of practice is a bit intelligent, but it is a bit false.

We all know that the webpage access protocol is HTTP, and there is almost no trusted data in the communication process of this Protocol. This is because all the HTTP protocol data can be forged, and the only truth is the direct client IP address of the Request page. This IP address can be obtained through the HTTP environment variable remote_addr. This can be said to be the only trusted address data, while the other two environment variables http_client_ip and http_x_forwarded_for, although specifying the proxy Source Path IP address, however, unfortunately, this data is unreliable unless you are sure that the proxy server is reliable, but this is almost impossible.

Speaking of this, it is more reliable to obtain the Client IP address. In my opinion, remote_addr is used to obtain the IP Address Source for direct requests, because this is the only reliable data. What if we trust the other two IP addresses on the proxy server and use the so-called real IP addresses on the network? The result is very bad. Hackers can easily forge proxy IPs and then blow up the voting data.

Therefore, when you need to determine and restrict IP addresses, do not consider the so-called proxy IP addresses, which are floating clouds with no reliable information, the most reliable way to prevent IP spoofing is to rely on the direct access address of the detection.