How to use HTTP X FORWARDED FOR properly

Question

Alright  I have an small authentication issue  My web service allows to connect to my API over HTTP with a username and password  but this connection can also be restricted to a specific IP address   This means that the   SERVER  REMOTE ADDR   can be incorrect  I already know that any IP information can never truly be relied upon - I have the restriction only in an attempt to add another layer of security   If this is the general overview of a request to my web server   clientSERVER   gt  clientPROXY   gt  myPROXY   gt  mySERVER  Then this means that mySERVER shows REMOTE ADDR of myPROXY instead of that of the client and sends the actual IP of the client as HTTP X FORWARDED FOR   To overcome this  my web service has a list of  trusted proxy  IP addresses and if REMOTE ADDR is from one of those trusted IP addresses  then it tells my web service that the actual IP address is the value of HTTP X FORWARDED FOR   Now the problem is with clientPROXY  This means that  quite often  mySERVER gets HTTP X FORWARDED FOR value that has multiple IP addresses  According to HTTP X FORWARDED FOR documentation  the value is a comma-separated list of IP addresses where the first IP is that of the actual true client and every other IP address is that of a proxy   So  if HTTP X FORWARDED FOR has multiple values and my service is IP restricted  do I have to check the  last  value of HTTP X FORWARDED FOR against my allowed IP list and just ignore the actual client IP   I assume that in a system  where I have to set the list of allowed IP addresses  the whitelisted IP address should be that of a proxy and not an IP that is behind the proxy  since that could be some localhost IP and change frequently    And what of HTTP CLIENT IP

User · Answer

If you use it in a database  this is a good way   Set the ip field in database to varchar 250   and then use this    theip     SERVER  REMOTE ADDR     if   empty   SERVER  HTTP X FORWARDED FOR            theip          SERVER  HTTP X FORWARDED FOR           if   empty   SERVER  HTTP CLIENT IP            theip          SERVER  HTTP CLIENT IP            realip   substr  theip  0  250     Then you just check  realip against the database ip field

User · Answer

You can also solve this problem via Apache configuration using mod remoteip  by adding the following to a conf d file   RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 172 16 0 0 12 LogFormat   a  l  u  t    r     gt s  b     Referer i       User-Agent i    combined

User · Answer

HTTP CLIENT IP is the most reliable way of getting the user s IP address  Next is HTTP X FORWARDED FOR  followed by REMOTE ADDR  Check all three  in that order  assuming that the first one that is set  isset   SERVER  HTTP CLIENT IP    returns true if that variable is set  is correct  You can independently check if the user is using a proxy using various methods  Check this out

User · Answer

I like Hrishikesh s answer  to which I only have this to add   because we saw a comma-delimited string coming across when multiple proxies along the way were used  we found it necessary to add an explode and grab the final value  like this    IParray array values array filter explode       SERVER  HTTP X FORWARDED FOR       return end  IParray     the array filter is in there to remove empty entries

User · Answer

You can use this function to get proper client IP   public function getClientIP                if  array key exists  HTTP X FORWARDED FOR     SERVER                return    SERVER  HTTP X FORWARDED FOR            else if  array key exists  REMOTE ADDR     SERVER                  return   SERVER  REMOTE ADDR           else if  array key exists  HTTP CLIENT IP     SERVER                 return   SERVER  HTTP CLIENT IP                   return

User · Answer

In the light of the latest httpoxy vulnerabilities  there is really a need for a full example  how to use HTTP X FORWARDED FOR properly   So here is an example written in PHP  how to detect a client IP address  if you know that client may be behind a proxy and you know this proxy can be trusted  If you don t known any trusted proxies  just use REMOTE ADDR   lt  php  function get client ip             Nothing to do without any reliable information     if   isset    SERVER  REMOTE ADDR               return NULL                Header that is used by the trusted proxy to refer to        the original IP      proxy header    HTTP X FORWARDED FOR           List of all the proxies that are known to handle  proxy header         in known  safe manner      trusted proxies   array   2001 db8  1    192 168 50 1         if  in array    SERVER  REMOTE ADDR     trusted proxies                 Get the IP address of the client behind trusted proxy         if  array key exists   proxy header    SERVER                     Header can contain multiple IP-s of proxies that are passed through                 Only the IP added by the last proxy  last IP in the list  can be trusted               proxy list   explode         SERVER  proxy header                 client ip   trim  end   proxy list                    Validate just in case             if  filter var   client ip  FILTER VALIDATE IP                     return  client ip                else                      Validation failed - beat the guy who configured the proxy or                    the guy who created the trusted proxy list                     TODO  some error handling to notify about the need of punishment                                       In all other cases  REMOTE ADDR is the ONLY IP we can trust      return   SERVER  REMOTE ADDR       print get client ip        gt

[php] How to use HTTP_X_FORWARDED_FOR properly?

Examples related to php

Examples related to proxy

Examples related to ip

Examples related to forwarding