如何正确使用 HTTP_X_FORWARDED_FOR?

问题描述

好的，我有一个小的身份验证问题.我的网络服务允许使用用户名和密码通过 HTTP 连接到我的 API，但此连接也可以限制为特定的 IP 地址.

Alright, I have an small authentication issue. My web service allows to connect to my API over HTTP with a username and password, but this connection can also be restricted to a specific IP address.

这意味着 $_SERVER['REMOTE_ADDR'] 可能不正确.我已经知道，任何 IP 信息都无法真正被依赖——我有这个限制只是为了增加另一层安全性.

This means that the $_SERVER['REMOTE_ADDR'] can be incorrect. I already know that any IP information can never truly be relied upon - I have the restriction only in an attempt to add another layer of security.

如果这是对我的网络服务器的请求的一般概述:

If this is the general overview of a request to my web server:

clientSERVER =>clientPROXY =>myPROXY =>我的服务器

那么这意味着 mySERVER 显示 myPROXY 的 REMOTE_ADDR 而不是客户端的，并将客户端的实际 IP 作为 HTTP_X_FORWARDED_FOR 发送.

Then this means that mySERVER shows REMOTE_ADDR of myPROXY instead of that of the client and sends the actual IP of the client as HTTP_X_FORWARDED_FOR.

为了克服这个问题，我的网络服务有一个受信任的代理"IP 地址列表，如果 REMOTE_ADDR 来自这些受信任的 IP 地址之一，那么它会告诉我的网络服务实际的 IP 地址是 HTTP_X_FORWARDED_FOR 的值.

To overcome this, my web service has a list of 'trusted proxy' IP addresses and if REMOTE_ADDR is from one of those trusted IP addresses, then it tells my web service that the actual IP address is the value of HTTP_X_FORWARDED_FOR.

现在问题出在 clientPROXY 上.这意味着(经常)mySERVER 获得具有多个 IP 地址的 HTTP_X_FORWARDED_FOR 值.根据 HTTP_X_FORWARDED_FOR 文档，该值是一个以逗号分隔的 IP 地址列表，其中第一个 IP 是实际真实客户端的 IP 地址，其他所有 IP 地址都是代理的 IP 地址.

Now the problem is with clientPROXY. This means that (quite often) mySERVER gets HTTP_X_FORWARDED_FOR value that has multiple IP addresses. According to HTTP_X_FORWARDED_FOR documentation, the value is a comma-separated list of IP addresses where the first IP is that of the actual true client and every other IP address is that of a proxy.

因此，如果 HTTP_X_FORWARDED_FOR 有多个值并且我的服务受 IP 限制，我是否必须对照允许的 IP 列表检查 HTTP_X_FORWARDED_FOR 的最后"值忽略实际的客户端 IP?

So, if HTTP_X_FORWARDED_FOR has multiple values and my service is IP restricted, do I have to check the 'last' value of HTTP_X_FORWARDED_FOR against my allowed IP list and just ignore the actual client IP?

我假设在一个系统中，我必须设置允许的 IP 地址列表，列入白名单的 IP 地址应该是代理的 IP 地址而不是代理后面的 IP(因为它可能是一些本地主机 IP 和经常变化).

I assume that in a system, where I have to set the list of allowed IP addresses, the whitelisted IP address should be that of a proxy and not an IP that is behind the proxy (since that could be some localhost IP and change frequently).

HTTP_CLIENT_IP 呢?

推荐答案

您可以使用此功能获取正确的客户端IP:

You can use this function to get proper client IP:

public function getClientIP(){       
     if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)){
            return  $_SERVER["HTTP_X_FORWARDED_FOR"];  
     }else if (array_key_exists('REMOTE_ADDR', $_SERVER)) { 
            return $_SERVER["REMOTE_ADDR"]; 
     }else if (array_key_exists('HTTP_CLIENT_IP', $_SERVER)) {
            return $_SERVER["HTTP_CLIENT_IP"]; 
     } 

     return '';
}

这篇关于如何正确使用 HTTP_X_FORWARDED_FOR?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！