如何正确使用 HTTP_X_FORWARDED_FOR?
好的,我有一个小的身份验证问题.我的网络服务允许使用用户名和密码通过 HTTP 连接到我的 API,但此连接也可以限制为特定的 IP 地址.
Alright, I have an small authentication issue. My web service allows to connect to my API over HTTP with a username and password, but this connection can also be restricted to a specific IP address.
这意味着 $_SERVER['REMOTE_ADDR'] 可能不正确.我已经知道,任何 IP 信息都无法真正被依赖——我有这个限制只是为了增加另一层安全性.
This means that the $_SERVER['REMOTE_ADDR'] can be incorrect. I already know that any IP information can never truly be relied upon - I have the restriction only in an attempt to add another layer of security.
如果这是对我的网络服务器的请求的一般概述:
If this is the general overview of a request to my web server:
clientSERVER =>clientPROXY =>myPROXY =>我的服务器
那么这意味着 mySERVER 显示 myPROXY 的 REMOTE_ADDR 而不是客户端的,并将客户端的实际 IP 作为 HTTP_X_FORWARDED_FOR 发送.
Then this means that mySERVER shows REMOTE_ADDR of myPROXY instead of that of the client and sends the actual IP of the client as HTTP_X_FORWARDED_FOR.
为了克服这个问题,我的网络服务有一个受信任的代理"IP 地址列表,如果 REMOTE_ADDR 来自这些受信任的 IP 地址之一,那么它会告诉我的网络服务实际的 IP 地址是 HTTP_X_FORWARDED_FOR 的值.
To overcome this, my web service has a list of 'trusted proxy' IP addresses and if REMOTE_ADDR is from one of those trusted IP addresses, then it tells my web service that the actual IP address is the value of HTTP_X_FORWARDED_FOR.
现在问题出在 clientPROXY 上.这意味着(经常)mySERVER 获得具有多个 IP 地址的 HTTP_X_FORWARDED_FOR 值.根据 HTTP_X_FORWARDED_FOR 文档,该值是一个以逗号分隔的 IP 地址列表,其中第一个 IP 是实际真实客户端的 IP 地址,其他所有 IP 地址都是代理的 IP 地址.
Now the problem is with clientPROXY. This means that (quite often) mySERVER gets HTTP_X_FORWARDED_FOR value that has multiple IP addresses. According to HTTP_X_FORWARDED_FOR documentation, the value is a comma-separated list of IP addresses where the first IP is that of the actual true client and every other IP address is that of a proxy.
因此,如果 HTTP_X_FORWARDED_FOR 有多个值并且我的服务受 IP 限制,我是否必须对照允许的 IP 列表检查 HTTP_X_FORWARDED_FOR 的最后"值忽略实际的客户端 IP?
So, if HTTP_X_FORWARDED_FOR has multiple values and my service is IP restricted, do I have to check the 'last' value of HTTP_X_FORWARDED_FOR against my allowed IP list and just ignore the actual client IP?
我假设在一个系统中,我必须设置允许的 IP 地址列表,列入白名单的 IP 地址应该是代理的 IP 地址而不是代理后面的 IP(因为它可能是一些本地主机 IP 和经常变化).
I assume that in a system, where I have to set the list of allowed IP addresses, the whitelisted IP address should be that of a proxy and not an IP that is behind the proxy (since that could be some localhost IP and change frequently).
HTTP_CLIENT_IP 呢?
推荐答案
您可以使用此功能获取正确的客户端IP:
You can use this function to get proper client IP:
public function getClientIP(){
if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)){
return $_SERVER["HTTP_X_FORWARDED_FOR"];
}else if (array_key_exists('REMOTE_ADDR', $_SERVER)) {
return $_SERVER["REMOTE_ADDR"];
}else if (array_key_exists('HTTP_CLIENT_IP', $_SERVER)) {
return $_SERVER["HTTP_CLIENT_IP"];
}
return '';
}
相关文章