Need advice about getting IP address behind NAT in PHP

Question

What I'm trying to achieve here is to get local ip address of computer that is connecting to machine with public IP address.

We have server with public IP address (let's say X). Also we have 15 computers in our office with local ip addresses (192.168.20....). I want to know which computer changed something on our system. We are all going out on the internet with public IP Y. As we all know with $_SERVER['REMOTE_ADDR'] I can only get address Y, but can't get local IP address (192.168.20.N).

So I've installed webserver on one of the local machines and then I'm sending ajax (jsonp) request to that local machine, I get local IP address of computer and than send that IP address to public server in every request. everything works fine and I'm getting both local and public IP address. But I wonder if there is any better way of doing this?

here is my test.js script

$(document).ready(function(){
    var _ip = '';
    $.ajax({
        url: 'http://192.168.20.24/getIP.php', //local machine
        dataType: 'jsonp',
        success: function(response){
            _ip = response;
            $.ajax({
                url: 'getIP.php', //public address
                type: 'POST',
                dataType: 'json',
                data: {
                    ip: _ip
                },
                dataType: 'json',
                success: function(response){
                    $('#local').html(response.local);
                    $('#public').html(response.public);
                }
            })
        }
    });

});

local getIP.php

header('content-type: application/json; charset=utf-8');
echo $_GET['callback'] . '('.json_encode($_SERVER['REMOTE_ADDR']).')';

and public getIP.php

echo json_encode(array('local' => $_POST['ip'], 'public' => $_SERVER['REMOTE_ADDR']));

Thanks in advance

Note: code is written for testing purposes only.

score 3 · Answer 1 · answered Apr 30 '14 at 07:41

3

IP address information MUST NOT being used for authentication. This is insecure. Point.

If you want to authenticate persons or even computers, then use an authentication system. username/password based, or public/private key based authentication systems come in mind..

answered Apr 30 '14 at 07:41

hek2mgl

152,036
28
249
266

I'm not using it for authentication and also it it only used in our office so don't worry i know how authentication should be done. And i know some of you will tell i should not do this but trust me we need this informations – Jerko W. Tisler Apr 30 '14 at 07:46
Beside from security considerations you see that it is obviously not working because of NAT. An authentication system will solve this, regardless of security considerations. – hek2mgl Apr 30 '14 at 07:48
Actually as i said it's working pretty well i can see both LOCAL and PUBLIC IP adresses, i'm only wondering if there is better solution – Jerko W. Tisler Apr 30 '14 at 07:51
If it works for you, you are fine. A better solution would not include IP addresses for authentication. The most obvious advantage is that you would not need the local web server anymore. Maybe you will come to that insight after a time of using the current solution ... ;) – hek2mgl Apr 30 '14 at 07:53
No1 ever said it's used for authentication, just wanna know from what pc is user logged and that's it – Jerko W. Tisler Apr 30 '14 at 07:57
Ok, I see. In English it is "Identification" what I mean.. (In german, both terms mean "Authentifizierung".. Sorry for that confusion... – hek2mgl Apr 30 '14 at 07:59
Yeah, what I meant is, that even for identification purposes IP address aren't well suited. – hek2mgl Apr 30 '14 at 08:01
Why is it insecure? If it's just for identification and not authentication, so basically you get no rights just because of your IP, i see no insecurity. Of course you should not expect that this identification is always correct. @hek2mgl: in german identification is "Identifizierung" and authentication "Authentifizierung", they are certainly not the same! – RaphaelH May 01 '14 at 06:23
@RaphaelH thanks for clarification I admit that I was not right with that german translation. identification and authentication are indeed different, even in german. But my main concerns are still valid. It is insecure because of many scenarios, all are related to IP spoofing. Btw, IP spoofing can happen super easily here. Even if security does not matter - what is wrong as security **does** matter - it is a desaster for maintainbility as IP addresses may change. **If** I would use address information, I would use mac addresses.. – hek2mgl May 01 '14 at 07:06

score 1 · Accepted Answer · edited May 23 '17 at 10:32

Javascript operates at HTTP level, so there is no such thing as an IP address in Javascript world.

The workaround you devised is widely used and it is, I believe, the only way to get the client's private address. As hek2mgl advises, this solution is insecure indeed, although in your case, the concern is less relevant because you seem to have complete control of the clients, the server, and the network in between.

For a really secure solution, use client certificates. I understand you do not really care about the client's IP addresses per se, but only want to use them as a mean of authentication (or was it just identification? :D).

Configuration is not trivial but not rocket sience either. Here is a nice tutorial (Apache). It assumes the use of certificates issued by a public certification authority, but you can generate and use your own self-signed certificates (tutorial 1, tutorial 2)

Tnx for your answer, I just wanted to remove that local web server from my architecture, but obviously it won't work without it — Jerko W. Tisler, May 04 '14 at 11:07

Need advice about getting IP address behind NAT in PHP

2 Answers2