WHMCS (PHP program) prevents IP spoofing (forged X-Forwarded-)

I have published an article about how to prevent forgery of X-Forwarded-For when multiple proxies exist.

This is only applicable to the use of proxy servers. Although this problem rarely occurs when the proxy server is not used, some silly PHP programs cannot be ruled out. If the content of X-Forwarded-For is not empty, it will take the initiative to use it as the visitor's real IP address. If CDN is used, the visitor's normal IP address can be obtained, but CDN is not used ......

Isn't that a good opportunity for those criminals?

The well-known WHMCS is one of them!

In fact, if you want to solve this problem, delete the code similar to this in the PHP program:

$ _ SERVER ['remote _ ADDR '] = $ _ SERVER ['HTTP _ X_FORWARDED_FOR'];

However, the WHMCS mentioned above is not an open-source PHP program and uses ioncube encryption. Unless decode is used, it is impossible to modify the source program and delete the code.

Fortunately, WHMCS has the only file that is not encrypted and is used globally: configuration. php

Since the WHMCS variable $ HTTP_X_FORWARDED_FOR is used as the visitor's real IP address, we only need. in php, assign $ remote_addr (explained in the previous article $ remote_addr) to $ HTTP_X_FORWARDED_FOR. In configuration. php, <? Php?> Add the following code:

<? Php ...... $ _ SERVER ['HTTP _ X_FORWARDED_FOR '] = $ _ SERVER ['remote _ ADDR']; ......>

Finally, by the way: this article only prevents counterfeit IP addresses for websites that do not use reverse proxy (CDN. If you are using a virtual host with CDN and cannot modify the server configuration file, you can only use the "high-risk" method to obtain the visitor's real IP address.