我知道有大量的$_SERVER变量头可用于IP地址检索。我想知道是否有一个普遍的共识,如何最准确地检索用户的真实IP地址(好知道没有方法是完美的)使用上述变量?
我花了一些时间试图找到一个深入的解决方案,并根据一些来源提出了以下代码。如果有人能在答案中找出漏洞,或者提供一些更准确的信息,我会很高兴。
edit包含来自@Alix的优化
/**
* Retrieves the best guess of the client's actual IP address.
* Takes into account numerous HTTP proxy headers due to variations
* in how different ISPs handle IP addresses in headers between hops.
*/
public function get_ip_address() {
// Check for shared internet/ISP IP
if (!empty($_SERVER['HTTP_CLIENT_IP']) && $this->validate_ip($_SERVER['HTTP_CLIENT_IP']))
return $_SERVER['HTTP_CLIENT_IP'];
// Check for IPs passing through proxies
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
// Check if multiple IP addresses exist in var
$iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
foreach ($iplist as $ip) {
if ($this->validate_ip($ip))
return $ip;
}
}
}
if (!empty($_SERVER['HTTP_X_FORWARDED']) && $this->validate_ip($_SERVER['HTTP_X_FORWARDED']))
return $_SERVER['HTTP_X_FORWARDED'];
if (!empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && $this->validate_ip($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']))
return $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
if (!empty($_SERVER['HTTP_FORWARDED_FOR']) && $this->validate_ip($_SERVER['HTTP_FORWARDED_FOR']))
return $_SERVER['HTTP_FORWARDED_FOR'];
if (!empty($_SERVER['HTTP_FORWARDED']) && $this->validate_ip($_SERVER['HTTP_FORWARDED']))
return $_SERVER['HTTP_FORWARDED'];
// Return unreliable IP address since all else failed
return $_SERVER['REMOTE_ADDR'];
}
/**
* Ensures an IP address is both a valid IP address and does not fall within
* a private network range.
*
* @access public
* @param string $ip
*/
public function validate_ip($ip) {
if (filter_var($ip, FILTER_VALIDATE_IP,
FILTER_FLAG_IPV4 |
FILTER_FLAG_IPV6 |
FILTER_FLAG_NO_PRIV_RANGE |
FILTER_FLAG_NO_RES_RANGE) === false)
return false;
self::$ip = $ip;
return true;
}
警告之词(更新)
REMOTE_ADDR仍然表示最可靠的IP地址来源。这里提到的其他$_SERVER变量很容易被远程客户端欺骗。此解决方案的目的是试图确定位于代理后面的客户机的IP地址。出于一般目的,您可以考虑将其与直接从$_SERVER['REMOTE_ADDR']返回的IP地址结合使用,并存储两者。
对于99.9%的用户,这个解决方案将完美地满足您的需求。它不能保护您免受0.1%的恶意用户通过注入他们自己的请求头来滥用您的系统。如果某些关键任务依赖于IP地址,请使用REMOTE_ADDR,而不必费心满足代理背后的需求。
如果你使用CloudFlare缓存层服务,下面是修改后的版本
function getIP()
{
$fields = array('HTTP_X_FORWARDED_FOR',
'REMOTE_ADDR',
'HTTP_CF_CONNECTING_IP',
'HTTP_X_CLUSTER_CLIENT_IP');
foreach($fields as $f)
{
$tries = $_SERVER[$f];
if (empty($tries))
continue;
$tries = explode(',',$tries);
foreach($tries as $try)
{
$r = filter_var($try,
FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 |
FILTER_FLAG_NO_PRIV_RANGE |
FILTER_FLAG_NO_RES_RANGE);
if ($r !== false)
{
return $try;
}
}
}
return false;
}
下面是一种更简洁的获取IP地址的方法:
function get_ip_address(){
foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
if (array_key_exists($key, $_SERVER) === true){
foreach (explode(',', $_SERVER[$key]) as $ip){
$ip = trim($ip); // just to be safe
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
return $ip;
}
}
}
}
}
你的代码似乎已经很完整了,我看不到任何可能的错误(除了通常的IP警告),我会改变validate_ip()函数依赖于过滤器扩展:
public function validate_ip($ip)
{
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false)
{
return false;
}
self::$ip = sprintf('%u', ip2long($ip)); // you seem to want this
return true;
}
你的HTTP_X_FORWARDED_FOR代码片段也可以这样简化:
// check for IPs passing through proxies
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
// check if multiple ips exist in var
if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',') !== false)
{
$iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
foreach ($iplist as $ip)
{
if ($this->validate_ip($ip))
return $ip;
}
}
else
{
if ($this->validate_ip($_SERVER['HTTP_X_FORWARDED_FOR']))
return $_SERVER['HTTP_X_FORWARDED_FOR'];
}
}
:
// check for IPs passing through proxies
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
foreach ($iplist as $ip)
{
if ($this->validate_ip($ip))
return $ip;
}
}
您可能还想验证IPv6地址。
/**
* Sanitizes IPv4 address according to Ilia Alshanetsky's book
* "php|architect?s Guide to PHP Security", chapter 2, page 67.
*
* @param string $ip An IPv4 address
*/
public static function sanitizeIpAddress($ip = '')
{
if ($ip == '')
{
$rtnStr = '0.0.0.0';
}
else
{
$rtnStr = long2ip(ip2long($ip));
}
return $rtnStr;
}
//---------------------------------------------------
/**
* Returns the sanitized HTTP_X_FORWARDED_FOR server variable.
*
*/
public static function getXForwardedFor()
{
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$rtnStr = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
elseif (isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR']))
{
$rtnStr = $HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'];
}
elseif (getenv('HTTP_X_FORWARDED_FOR'))
{
$rtnStr = getenv('HTTP_X_FORWARDED_FOR');
}
else
{
$rtnStr = '';
}
// Sanitize IPv4 address (Ilia Alshanetsky):
if ($rtnStr != '')
{
$rtnStr = explode(', ', $rtnStr);
$rtnStr = self::sanitizeIpAddress($rtnStr[0]);
}
return $rtnStr;
}
//---------------------------------------------------
/**
* Returns the sanitized REMOTE_ADDR server variable.
*
*/
public static function getRemoteAddr()
{
if (isset($_SERVER['REMOTE_ADDR']))
{
$rtnStr = $_SERVER['REMOTE_ADDR'];
}
elseif (isset($HTTP_SERVER_VARS['REMOTE_ADDR']))
{
$rtnStr = $HTTP_SERVER_VARS['REMOTE_ADDR'];
}
elseif (getenv('REMOTE_ADDR'))
{
$rtnStr = getenv('REMOTE_ADDR');
}
else
{
$rtnStr = '';
}
// Sanitize IPv4 address (Ilia Alshanetsky):
if ($rtnStr != '')
{
$rtnStr = explode(', ', $rtnStr);
$rtnStr = self::sanitizeIpAddress($rtnStr[0]);
}
return $rtnStr;
}
//---------------------------------------------------
/**
* Returns the sanitized remote user and proxy IP addresses.
*
*/
public static function getIpAndProxy()
{
$xForwarded = self::getXForwardedFor();
$remoteAddr = self::getRemoteAddr();
if ($xForwarded != '')
{
$ip = $xForwarded;
$proxy = $remoteAddr;
}
else
{
$ip = $remoteAddr;
$proxy = '';
}
return array($ip, $proxy);
}
就像之前有人说的,这里的关键在于你为什么想要存储用户的ip。
我将从我工作的注册系统中给出一个例子,当然解决方案只是为了在这个经常出现在我搜索中的旧讨论中贡献一些东西。
许多php注册库使用ip来限制/锁定基于用户ip的失败尝试。
看看这张表:
-- mysql
DROP TABLE IF EXISTS `attempts`;
CREATE TABLE `attempts` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`ip` varchar(39) NOT NULL, /*<<=====*/
`expiredate` datetime NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- sqlite
...
然后,当用户尝试登录或任何与重置密码相关的服务时,在开始时调用一个函数:
public function isBlocked() {
/*
* used one of the above methods to capture user's ip!!!
*/
$ip = $this->ip;
// delete attempts from this ip with 'expiredate' in the past
$this->deleteAttempts($ip, false);
$query = $this->dbh->prepare("SELECT count(*) FROM {$this->token->get('table_attempts')} WHERE ip = ?");
$query->execute(array($ip));
$attempts = $query->fetchColumn();
if ($attempts < intval($this->token->get('attempts_before_verify'))) {
return "allow";
}
if ($attempts < intval($this->token->get('attempts_before_ban'))) {
return "captcha";
}
return "block";
}
例如,$this->令牌->get('attempts_before_ban') === 10和2个用户来相同的ips,就像前面的代码中头部可以被欺骗的情况一样,然后在5次尝试后,两者都被禁止!
更糟糕的是,如果所有用户都来自同一个代理,那么只有前10个用户将被记录,其余的用户将被禁止!
这里的关键是我们需要一个表尝试的唯一索引,我们可以从这样的组合中获得它:
`ip` varchar(39) NOT NULL,
`jwt_load varchar(100) NOT NULL
其中jwt_load来自一个遵循json web令牌技术的HTTP cookie,我们只存储加密的有效负载,应该包含每个用户的任意/唯一值。
当然,请求应该修改为:"SELECT count(*) FROM {$this->token->get('table_attempts')} WHERE ip = ?AND jwt_load = ?"并且该类还应该初始化一个私有的$jwt。
谢谢,非常有用。
如果代码在语法上是正确的,这将会有所帮助。在第20行有一个{too many。这恐怕意味着没人真正尝试过。
我可能疯了,但在尝试了一些有效和无效的地址后,validate_ip()唯一有效的版本是这样的:
public function validate_ip($ip)
{
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE) === false)
return false;
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE) === false)
return false;
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) === false && filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === false)
return false;
return true;
}
虽然这篇文章很老了,但这个话题仍然值得关注。所以我在我的项目中使用了另一个解决方案。我在这里找到了其他的解决方案,要么不完整,要么太复杂,难以理解。
if (! function_exists('get_visitor_IP'))
{
/**
* Get the real IP address from visitors proxy. e.g. Cloudflare
*
* @return string IP
*/
function get_visitor_IP()
{
// Get real visitor IP behind CloudFlare network
if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
$_SERVER['HTTP_CLIENT_IP'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
}
// Sometimes the `HTTP_CLIENT_IP` can be used by proxy servers
$ip = @$_SERVER['HTTP_CLIENT_IP'];
if (filter_var($ip, FILTER_VALIDATE_IP)) {
return $ip;
}
// Sometimes the `HTTP_X_FORWARDED_FOR` can contain more than IPs
$forward_ips = @$_SERVER['HTTP_X_FORWARDED_FOR'];
if ($forward_ips) {
$all_ips = explode(',', $forward_ips);
foreach ($all_ips as $ip) {
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)){
return $ip;
}
}
}
return $_SERVER['REMOTE_ADDR'];
}
}
