0

As you know, the user's IP is $_SERVER['REMOTE_ADDR']. That's it. But in some situations a server may be behind a proxy (often a load balancer), then IP will be in $_SERVER['HTTP_X_FORWARDED_FOR']. Also it's recommended to store both values.

Ok I've two related questions:

  1. REMOTE_ADDR is containing what when this HTTP_X_FORWARDED_FOR isn't empty?

  2. What are these things(based on this answer) ? Might they be containing the IP? If yes then in that case REMOTE_ADDR and HTTP_X_FORWARDED_FOR are containing what?

    • HTTP_CLIENT_IP
    • HTTP_X_FORWARDED
    • HTTP_FORWARDED_FOR
    • HTTP_FORWARDED
Community
  • 1
  • 1
Martin AJ
  • 6,261
  • 8
  • 53
  • 111
  • `REMOTE_ADDR`'s value varies depending on your server config. Ideally, you'll have something like http://nginx.org/en/docs/http/ngx_http_realip_module.html configured to put the user's real IP in there, but not everyone sets that up right. – ceejayoz Jul 08 '16 at 17:57
  • @ceejayoz Are you talking about the configuration of my server or the configuration of the user? If the first one, that means if I config my server correctly, then **always** IP is `REMOTE_ADDR`, right? – Martin AJ Jul 08 '16 at 17:59
  • You're mixing things up. If the user is using an outside proxy, that proxy may or may not be sending a forwarded-for header, but you'd want to store the remote addr most likely there anyways. The only time you want to use the forwarded-for header is when it comes from **your** infrastructure, like a load balancer. That's why the Nginx docs include a `set_real_ip_from` example to trust the header only from specific IPs. – ceejayoz Jul 08 '16 at 18:07
  • @ceejayoz Alright. I guess this subject is your expertise. Just tell me should I store both `REMOTE_ADDR` and `HTTP_X_FORWARDED_FOR` into to separated column, or should I store just one of them, or should I also check the other ones *(`HTTP_CLIENT_IP, ..`)*? Overall how can I store user's IP? – Martin AJ Jul 08 '16 at 18:10
  • I store `REMOTE_ADDR`. When I have a load balancer, I use the Nginx RealIP module (Apache has [something similar](https://httpd.apache.org/docs/trunk/mod/mod_remoteip.html)) to populate `REMOTE_ADDR` with the load balancer's forwarded-for header. That's it for me. – ceejayoz Jul 08 '16 at 18:11
  • @ceejayoz I see, just may you please tell me an example of "load balancer"? – Martin AJ Jul 08 '16 at 18:14
  • If you need an example of one, you likely don't have one. I'm not a replacement for Wikipedia. – ceejayoz Jul 08 '16 at 18:16
  • @ceejayoz Ah ok, thank you for your attention. – Martin AJ Jul 08 '16 at 18:33
  • @ceejayoz Ok just one question, You are constantly saying about just `REMOTE_ADDR` and sometimes `HTTP_X_FORWARDED_FOR`. Well do you think the other cases are useless and I shouldn't care about them? Like `HTTP_CLIENT_IP`, `HTTP_X_FORWARDED`, etc – Martin AJ Jul 08 '16 at 20:25
  • I've never seen those in actual usage. If you don't use a load balancer, use `REMOTE_ADDR`. If you use a load balancer, use whatever it uses. In 99% of cases that appears to be `HTTP_X_FORWARDED_FOR`. Stop agonizing over it and just implement what's necessary in your particular setup, *when* it becomes necessary. http://stackoverflow.com/questions/7445592/what-is-the-difference-between-http-client-ip-and-http-x-forwarded-for – ceejayoz Jul 08 '16 at 20:38
  • @ceejayoz Alright .. to be honest, I just don't know how many column should I create in the database for the IP. I don't use any load balancer *(even I don't know what it is)*, So should I just store `REMOTE_ADDR`? And then If I block an IP, and that user uses a proxy *(like HSS)*, he can open my website again? So I'm trying to handle that: **blocking destructive users**. – Martin AJ Jul 08 '16 at 20:43
  • Create one column. Store the IP from REMOTE_ADDR there. A user who uses a proxy service like HSS will *not be detectable*. Via any of these techniques. That's one of the main reasons for using those sorts of services - evading bans. It works well. – ceejayoz Jul 08 '16 at 20:44
  • (Incidentally, next time, ask the actual question, which would have saved us all this time. http://stackoverflow.com/questions/858357/detect-clients-with-proxy-servers-via-php) – ceejayoz Jul 08 '16 at 20:46
  • @ceejayoz Really thanks for this link ^ ..! That was exactly what I was looking for. Just what do you mean "it works well" *(in your one before the last comment)*? "it" refers to HSS and you mean HSS makes the user undetectable as well? – Martin AJ Jul 08 '16 at 20:50
  • Yes, proxy services work well for users who want to get around an IP ban. There is not much you can do against a determined user. – ceejayoz Jul 08 '16 at 20:56
  • @ceejayoz Ah I see. You're one of the super-reputation users which cares about comments and answers them. That's nice of you. Good luck man. – Martin AJ Jul 08 '16 at 20:58

0 Answers0