The problem of IP address forgery in HTTP and the solution

In the real world, PHP gets the client IP address in the following ways:

(1): by $_server["HTTP_CLIENT_IP"]

(2): by $_server["Http_x_forwarded_for"]

(3): by $_server["REMOTE_ADDR"]

It is important to note that the value starting with HTTP in the $_server array in PHP is passed by the client to the server, which means that this part can be forged. The $_server["REMOTE_ADDR" is passed by the server and cannot be forged (if this part can be forged, then the server has no way to pass the data to the correct client)

PHP uses the Curl function for http_client_ip and http_x_forwarded_for to forge:

curl_setopt ($ch, Curlopt_httpheader, Array (' X-forwarded-for: '. $ip, ' Client-ip: '. $ips));

One of the $_server["Http_x_forwarded_for"] at first I didn't know what it was, and then I looked it up and summed it up: X-forwarded-for is an HTTP extension header. The http/1.1 (RFC 2616) protocol does not define it, it was first introduced by Squid, the caching agent software, to represent the HTTP request-side real IP. Its basic format is as follows: X-forwarded-for:client, Proxy1, Proxy2 (can be used when there is a reverse proxy and load balancer, this is also possible to forge)

In the absence of reverse proxy or load balancing, the server can obtain a real client IP address by $_server["REMOTE_ADDR")

In the case of reverse proxy or load balancing, the server obtains not the client's IP address through $_server["REMOTE_ADDR", but rather the IP address of the reverse proxy or distributor (see details)

The REMOTE_ADDR obtained by the server is actually passed by the servers that pass the data to the PHP parser, and the IP address of the server is connected, and the HTTP file server gets the REMOTE_ADDR that is the Nginx server's IP address.

How to get the real IP address of the client in the presence of reverse proxy and load balancing? The solution is as follows:

In the Nginx server (proxy server) for the configuration of the Http_x_forward_for parameter, the configuration is as follows:

Location ~ "\.+\.php$" {

Fastcgi_pass localhost:9000;

Fastcgi_param http_x_forward_for $remote _addr;

}-----The Http_x_forward_for parameter passed by Nginx to PHP-FPM is the real client IP that Nginx obtains, then get $_server["http_x_forward_for" directly in the PHP script. To get the real client IP address.

The problem of IP address forgery in HTTP and the solution