Remote_addr, http_client_ip, http_x_forwarded_for

When you look at lib_base.php in ecshop, you can obtain the real IP address of the client (real_ip). In many cases, you can determine whether the client uses a proxy. Pay attention to the order of determination, first, determine whether the client uses the proxy http_x_forwarded_for

Add the source code.

/*** Obtain the real IP address of the user ** @ access public * @ return string */function real_ip () {static $ realip = NULL; if ($ realip! = NULL) {return $ realip;} If (isset ($ _ server) {If (isset ($ _ server ['HTTP _ x_forwarded_for ']) {$ arr = explode (',', $ _ server ['HTTP _ x_forwarded_for ']); /* obtain the first non-unknown valid IP string in X-forwarded-for */foreach ($ arr as $ IP) {$ IP = trim ($ IP ); if ($ IP! = 'Unknon') {$ realip = $ IP; break ;}} elseif (isset ($ _ server ['HTTP _ client_ip ']) {$ realip = $ _ server ['HTTP _ client_ip '];} else {If (isset ($ _ server ['remote _ ADDR']) {$ realip = $ _ server ['remote _ ADDR '];} else {$ realip = '0. 0.0.0 ';}} else {If (getenv ('HTTP _ x_forwarded_for') {$ realip = getenv ('HTTP _ x_forwarded_for ');} elseif (getenv ('HTTP _ client_ip ') {$ realip = getenv ('HTTP _ client_ip ');} Else {$ realip = getenv ('remote _ ADDR');} preg_match ("/[\ D \.] {7, 15}/", $ realip, $ onlineip); $ realip =! Empty ($ onlineip [0])? $ Onlineip [0]: '0. 0.0.0 '; return $ realip ;}

By the way, the difference between $ _ server and getenv is that getenv does not support PHP running in iis isapi mode.

I. No proxy server is used:

 

Remote_addr = your IP address
Http_via = no value or no display
Http_x_forwarded_for = no value or no display

Ii. Transparent proxy server: transparent proxies

Remote_addr = IP address of the last Proxy Server
Http_via = Proxy Server IP Address
Http_x_forwarded_for = your real IP address. When multiple proxy servers are used, this value is similar to the following: 203.98.1820.3, 203.98.1820.3, 203.129.72.215.

This type of proxy server still forwards your information to your access object, which cannot hide your real identity.

Iii. Normal anonymous proxy server: anonymous proxies

Remote_addr = IP address of the last Proxy Server
Http_via = Proxy Server IP Address
Http_x_forwarded_for = Proxy Server IP address. When multiple proxy servers are used, this value is similar to the following: 203.98.1820.3, 203.98.1820.3, 203.129.72.215.

Your real IP address is hidden, but you are disclosed to the access object that you use the proxy server to access them.

Iv. destorting proxies

Remote_addr = Proxy Server IP Address
Http_via = Proxy Server IP Address
Http_x_forwarded_for = random IP address. When multiple proxy servers are used, the value is as follows: 203.98.182.163, 203.98.182.163, 203.129.72.215.

It tells the access object that you used the proxy server, but fabricated a false random IP address instead of your real IP address to cheat it.

5. High anonymity proxies (elite proxies)

Remote_addr = Proxy Server IP Address
Http_via = no value or no display
Http_x_forwarded_for = no value or no value is displayed. When multiple proxy servers are used, the value is similar to the following: 203.98.182.163, 203.98.182.163, 203.129.72.215.

The proxy server information replaces all your information, just as you directly access the object using the proxy server.

Remote_addr is the IP address when your client "shakes hands" with your server. If "anonymous proxy" is used, remote_addr displays the IP address of the proxy server.
Http_client_ip is the HTTP header sent by the proxy server. If it is a "Super anonymous proxy", the return value is none. Similarly, remote_addr will be replaced with the IP address of the proxy server.
$ _ Server ['remote _ ADDR ']; // ip address of the access end (which may be a user or a proxy)
$ _ Server ['HTTP _ client_ip ']; // proxy end (it may exist and can be forged)
$ _ Server ['HTTP _ x_forwarded_for ']; // the proxy of the user's IP address (which may exist or can be forged)

 

Bytes ----------------------------------------------------------------------------------------------------

In web development, we may all get used to using the following code to obtain the Client IP Address:
C # code

Copy the Code as follows: // obtain the proxy IP first.
String IP = request. servervariables ["http_x_forwarded_for"];
If (string. isnullorempty (IP )){
// Directly connect to the Client IP address without a proxy IP Address
IP = request. servervariables ["remote_addr"];
}

The above Code seems to be normal, but it is a pity that there is a hidden danger !! Because the value of "http_x_forwarded_for" is obtained by obtaining the "x_forwarded_for" attribute of the HTTP header, here we will provide a way for the attacker to forge an IP address !!
The following is the test code:

The copy code is as follows: httpwebrequest request = (httpwebrequest) httpwebrequest. Create ("http: // localhost/IP. aspx ");
Request. headers. Add ("x_forwarded_for", "0.0.0.0 ");
Httpwebresponse response = (httpwebresponse) request. getresponse ();
Streamreader stream = new streamreader (response. getresponsestream ());
String IP = stream. readtoend ();
Stream. Close ();
Response. Close ();
Request = NULL;

"Ip. aspx" file code:

Copy the Code as follows: Response. Clear ();
// Obtain the proxy IP address first
String IP = request. servervariables ["http_x_forwarded_for"];
If (string. isnullorempty (IP ))
{
// Directly obtain the Client IP address without a proxy IP Address
IP = request. servervariables ["remote_addr"];
}
Response. Write (IP );
Response. End ();

In this way, when accessing the IP. aspx file in the test code. "string IP = stream. readtoend ();" the IP data obtained from this code is "0.0.0.0 "!!!! (Oh. in actual situations. such an IP address is definitely not what we want. in some voting systems, when one IP address is restricted to only one vote, if similar code is used to obtain the IP address of the other party and then judge. haha. the restriction will expire )...

 

Or, if you use the above Code to obtain the IP address and do not judge the data later, you may be able to further damage the data !!
For example, if you use an SQL statement similar to the preceding code to obtain an IP address, you can directly use the following SQL statement:
String SQL = "insert into (IP) value ('" + IP + "')";
Attackers may also be able to perform SQL injection to destroy data !!

In this case, it seems that the method to obtain the Client IP Address by using the "http_x_forwarded_for" attribute is no longer desirable. -_-# If this method is not used. so those who actually use the proxy server. we can no longer obtain their real IP addresses (because some proxy servers add real IP addresses to the "x_forwarded_for" HTTP header ). oh. the reality is that something is lost...

Bytes ------------------------------------------------------------------------------------------------------

After reading these two posts, I finally understood why I had to verify the regular expression after obtaining the IP address, as I used to directly obtain the Client IP address through remote_addr, and the idea of not alignment for verification is silly and naive and must be severely cracked!