我知道有大量的$_SERVER变量头可用于IP地址检索。我想知道是否有一个普遍的共识,如何最准确地检索用户的真实IP地址(好知道没有方法是完美的)使用上述变量?
我花了一些时间试图找到一个深入的解决方案,并根据一些来源提出了以下代码。如果有人能在答案中找出漏洞,或者提供一些更准确的信息,我会很高兴。
edit包含来自@Alix的优化
/**
* Retrieves the best guess of the client's actual IP address.
* Takes into account numerous HTTP proxy headers due to variations
* in how different ISPs handle IP addresses in headers between hops.
*/
public function get_ip_address() {
// Check for shared internet/ISP IP
if (!empty($_SERVER['HTTP_CLIENT_IP']) && $this->validate_ip($_SERVER['HTTP_CLIENT_IP']))
return $_SERVER['HTTP_CLIENT_IP'];
// Check for IPs passing through proxies
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
// Check if multiple IP addresses exist in var
$iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
foreach ($iplist as $ip) {
if ($this->validate_ip($ip))
return $ip;
}
}
}
if (!empty($_SERVER['HTTP_X_FORWARDED']) && $this->validate_ip($_SERVER['HTTP_X_FORWARDED']))
return $_SERVER['HTTP_X_FORWARDED'];
if (!empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && $this->validate_ip($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']))
return $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
if (!empty($_SERVER['HTTP_FORWARDED_FOR']) && $this->validate_ip($_SERVER['HTTP_FORWARDED_FOR']))
return $_SERVER['HTTP_FORWARDED_FOR'];
if (!empty($_SERVER['HTTP_FORWARDED']) && $this->validate_ip($_SERVER['HTTP_FORWARDED']))
return $_SERVER['HTTP_FORWARDED'];
// Return unreliable IP address since all else failed
return $_SERVER['REMOTE_ADDR'];
}
/**
* Ensures an IP address is both a valid IP address and does not fall within
* a private network range.
*
* @access public
* @param string $ip
*/
public function validate_ip($ip) {
if (filter_var($ip, FILTER_VALIDATE_IP,
FILTER_FLAG_IPV4 |
FILTER_FLAG_IPV6 |
FILTER_FLAG_NO_PRIV_RANGE |
FILTER_FLAG_NO_RES_RANGE) === false)
return false;
self::$ip = $ip;
return true;
}
警告之词(更新)
REMOTE_ADDR仍然表示最可靠的IP地址来源。这里提到的其他$_SERVER变量很容易被远程客户端欺骗。此解决方案的目的是试图确定位于代理后面的客户机的IP地址。出于一般目的,您可以考虑将其与直接从$_SERVER['REMOTE_ADDR']返回的IP地址结合使用,并存储两者。
对于99.9%的用户,这个解决方案将完美地满足您的需求。它不能保护您免受0.1%的恶意用户通过注入他们自己的请求头来滥用您的系统。如果某些关键任务依赖于IP地址,请使用REMOTE_ADDR,而不必费心满足代理背后的需求。
只是个VB。NET版的答案:
Private Function GetRequestIpAddress() As IPAddress
Dim serverVariables = HttpContext.Current.Request.ServerVariables
Dim headersKeysToCheck = {"HTTP_CLIENT_IP", _
"HTTP_X_FORWARDED_FOR", _
"HTTP_X_FORWARDED", _
"HTTP_X_CLUSTER_CLIENT_IP", _
"HTTP_FORWARDED_FOR", _
"HTTP_FORWARDED", _
"REMOTE_ADDR"}
For Each thisHeaderKey In headersKeysToCheck
Dim thisValue = serverVariables.Item(thisHeaderKey)
If thisValue IsNot Nothing Then
Dim validAddress As IPAddress = Nothing
If IPAddress.TryParse(thisValue, validAddress) Then
Return validAddress
End If
End If
Next
Return Nothing
End Function
我的回答基本上是@AlixAxel的回答的一个经过润色、完全验证和完全打包的版本:
<?php
/* Get the 'best known' client IP. */
if (!function_exists('getClientIP'))
{
function getClientIP()
{
if (isset($_SERVER["HTTP_CF_CONNECTING_IP"]))
{
$_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
};
foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key)
{
if (array_key_exists($key, $_SERVER))
{
foreach (explode(',', $_SERVER[$key]) as $ip)
{
$ip = trim($ip);
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false)
{
return $ip;
};
};
};
};
return false;
};
};
$best_known_ip = getClientIP();
if(!empty($best_known_ip))
{
$ip = $clients_ip = $client_ip = $client_IP = $best_known_ip;
}
else
{
$ip = $clients_ip = $client_ip = $client_IP = $best_known_ip = '';
};
?>
变化:
它简化了函数名(使用'camelCase'格式样式)。
它包括一个检查,以确保函数没有在代码的另一部分中声明。
它还考虑了“CloudFlare”的兼容性。
它将多个“ip相关”变量名称初始化为'getClientIP'函数的返回值。
它确保如果函数没有返回有效的IP地址,所有变量都被设置为空字符串,而不是null。
它只有(45)行代码。
i realize there are much better and more concise answers above, and this isnt a function nor the most graceful script around. In our case we needed to output both the spoofable x_forwarded_for and the more reliable remote_addr in a simplistic switch per-say. It needed to allow blanks for injecting into other functions if-none or if-singular (rather than just returning the preformatted function). It needed an "on or off" var with a per-switch customized label(s) for platform settings. It also needed a way for $ip to be dynamic depending on request so that it would take form of forwarded_for.
我也没有看到任何人地址isset() vs !empty()——它可能没有为x_forwarded_for输入任何内容,但仍然触发isset()真理导致空白var,一种解决方法是使用&&并结合两者作为条件。请记住,您可以欺骗像“PWNED”这样的单词为x_forwarded_for,因此,如果您的输出在某个受保护的地方或到DB中,请确保您将其杀菌为真实ip语法。
此外,如果您需要一个多代理来查看x_forwarder_for中的数组,则可以使用谷歌translate进行测试。如果你想欺骗头部测试,检查这个Chrome客户端头部欺骗扩展。这将默认只是标准的remote_addr,而后面的一个代理。
我不知道任何情况下,remote_addr可以是空的,但它在那里,以防万一。
// proxybuster - attempts to un-hide originating IP if [reverse]proxy provides methods to do so
$enableProxyBust = true;
if (($enableProxyBust == true) && (isset($_SERVER['REMOTE_ADDR'])) && (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) && (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))) {
$ip = end(array_values(array_filter(explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']))));
$ipProxy = $_SERVER['REMOTE_ADDR'];
$ipProxy_label = ' behind proxy ';
} elseif (($enableProxyBust == true) && (isset($_SERVER['REMOTE_ADDR']))) {
$ip = $_SERVER['REMOTE_ADDR'];
$ipProxy = '';
$ipProxy_label = ' no proxy ';
} elseif (($enableProxyBust == false) && (isset($_SERVER['REMOTE_ADDR']))) {
$ip = $_SERVER['REMOTE_ADDR'];
$ipProxy = '';
$ipProxy_label = '';
} else {
$ip = '';
$ipProxy = '';
$ipProxy_label = '';
}
为了使这些动态用于下面的函数或查询/回显/视图,比如日志生成或错误报告,使用全局变量或在任何你想要的地方回显em,而不需要创建大量其他条件或静态模式输出函数。
function fooNow() {
global $ip, $ipProxy, $ipProxy_label;
// begin this actions such as log, error, query, or report
}
谢谢你的好想法。请让我知道如果这可以更好,仍然有点新的这些头:)
来自Symfony的Request类
https://github.com/symfony/symfony/blob/1bd125ec4a01220878b3dbc3ec3156b073996af9/src/Symfony/Component/HttpFoundation/Request.php
const HEADER_FORWARDED = 'forwarded';
const HEADER_CLIENT_IP = 'client_ip';
const HEADER_CLIENT_HOST = 'client_host';
const HEADER_CLIENT_PROTO = 'client_proto';
const HEADER_CLIENT_PORT = 'client_port';
/**
* Names for headers that can be trusted when
* using trusted proxies.
*
* The FORWARDED header is the standard as of rfc7239.
*
* The other headers are non-standard, but widely used
* by popular reverse proxies (like Apache mod_proxy or Amazon EC2).
*/
protected static $trustedHeaders = array(
self::HEADER_FORWARDED => 'FORWARDED',
self::HEADER_CLIENT_IP => 'X_FORWARDED_FOR',
self::HEADER_CLIENT_HOST => 'X_FORWARDED_HOST',
self::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
self::HEADER_CLIENT_PORT => 'X_FORWARDED_PORT',
);
/**
* Returns the client IP addresses.
*
* In the returned array the most trusted IP address is first, and the
* least trusted one last. The "real" client IP address is the last one,
* but this is also the least trusted one. Trusted proxies are stripped.
*
* Use this method carefully; you should use getClientIp() instead.
*
* @return array The client IP addresses
*
* @see getClientIp()
*/
public function getClientIps()
{
$clientIps = array();
$ip = $this->server->get('REMOTE_ADDR');
if (!$this->isFromTrustedProxy()) {
return array($ip);
}
if (self::$trustedHeaders[self::HEADER_FORWARDED] && $this->headers->has(self::$trustedHeaders[self::HEADER_FORWARDED])) {
$forwardedHeader = $this->headers->get(self::$trustedHeaders[self::HEADER_FORWARDED]);
preg_match_all('{(for)=("?\[?)([a-z0-9\.:_\-/]*)}', $forwardedHeader, $matches);
$clientIps = $matches[3];
} elseif (self::$trustedHeaders[self::HEADER_CLIENT_IP] && $this->headers->has(self::$trustedHeaders[self::HEADER_CLIENT_IP])) {
$clientIps = array_map('trim', explode(',', $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_IP])));
}
$clientIps[] = $ip; // Complete the IP chain with the IP the request actually came from
$firstTrustedIp = null;
foreach ($clientIps as $key => $clientIp) {
// Remove port (unfortunately, it does happen)
if (preg_match('{((?:\d+\.){3}\d+)\:\d+}', $clientIp, $match)) {
$clientIps[$key] = $clientIp = $match[1];
}
if (!filter_var($clientIp, FILTER_VALIDATE_IP)) {
unset($clientIps[$key]);
}
if (IpUtils::checkIp($clientIp, self::$trustedProxies)) {
unset($clientIps[$key]);
// Fallback to this when the client IP falls into the range of trusted proxies
if (null === $firstTrustedIp) {
$firstTrustedIp = $clientIp;
}
}
}
// Now the IP chain contains only untrusted proxies and the client IP
return $clientIps ? array_reverse($clientIps) : array($firstTrustedIp);
}
我知道现在回答已经太晚了。但是你可以试试这些方法:
选项1:(使用curl)
$ch = curl_init();
// set URL and other appropriate options
curl_setopt($ch, CURLOPT_URL, "https://ifconfig.me/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// grab URL and pass it to the browser
$ip = curl_exec($ch);
// close cURL resource, and free up system resources
curl_close($ch);
return $ip;
选项2:(适用于mac)
return trim(shell_exec("dig +short myip.opendns.com @resolver1.opendns.com"));
选项3:(只是使用了一个技巧)
return str_replace('Current IP CheckCurrent IP Address: ', '', strip_tags(file_get_contents('http://checkip.dyndns.com')));
可以作为参考:
https://www.tecmint.com/find-linux-server-public-ip-address/
如果你使用CloudFlare缓存层服务,下面是修改后的版本
function getIP()
{
$fields = array('HTTP_X_FORWARDED_FOR',
'REMOTE_ADDR',
'HTTP_CF_CONNECTING_IP',
'HTTP_X_CLUSTER_CLIENT_IP');
foreach($fields as $f)
{
$tries = $_SERVER[$f];
if (empty($tries))
continue;
$tries = explode(',',$tries);
foreach($tries as $try)
{
$r = filter_var($try,
FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 |
FILTER_FLAG_NO_PRIV_RANGE |
FILTER_FLAG_NO_RES_RANGE);
if ($r !== false)
{
return $try;
}
}
}
return false;
}
