I've read that is is possible that a client doesn't send an IP-Address on requesting. So I would prevent that a user can access to my page without giving an IP-Address.
For the case the IP-Adress is not sent, which value has $_SERVER['REMOTE_ADDR'] (PHP)? May null, "", or 0.0.0.0?
Asked
Active
Viewed 581 times
-2
Eike Pierstorff
- 31,996
- 4
- 43
- 62
HelloToYou
- 335
- 5
- 14
-
It is not possible to establish a TCP connection without showing IP addresses. – Daniel W. Jul 19 '16 at 10:04
-
1Where have you read that? The IP address exchange is part of the TCP/IP handshake. No TCP/IP, no HTTP request. No HTTP request, no PHP execution. – deceze Jul 19 '16 at 10:04
-
`$_SERVER['REMOTE_ADDR']` is set by the server. The client cannot influence it. – axiac Jul 19 '16 at 10:05
-
1@DanFromGermany If you run from cli then `REMOTE_ADDR` is not set – DarkBee Jul 19 '16 at 10:05
-
@DarkBee Then there's no "client" either, because there's also no "server". – deceze Jul 19 '16 at 10:05
-
@DarkBee while you are technically correct, your remark doesn't apply here because the OP asks about using the PHP on the webserver. – axiac Jul 19 '16 at 10:06
-
@deceze I've read that in an article about proxy-servers. After that I tested it using [http://ipv6-test.com](http://ipv6-test.com) and on both connection-types stand `not supported` – HelloToYou Jul 19 '16 at 10:06
-
@deceze False. PHP scripts can be executed separately from an HTTP server. The `$_SERVER` superglobal then contains the environment variables of the process. – Jul 19 '16 at 10:07
-
1@Rhymoid That's about your server setup. *The client* will have to send their IP. If your server internally filters it out and doesn't pass it to PHP, that's a different problem. It would also affect all clients equally, and not some clients selectively. – deceze Jul 19 '16 at 10:08
-
If the client uses a proxy server, `$_SERVER['REMOTE_ADDR']` contains the IP address of the proxy server (or of the last proxy server when the request passed through more than one). Some web servers can be configured to extract the client's real IP address from the request headers (if it's present there) and put it in `$_SERVER['REMOTE_ADDR']` but I wouldn't rely on this behaviour. – axiac Jul 19 '16 at 10:08
-
@HelloToYou On ipv6-test.com, neither IPv4 nor IPv6 are supported by your browser?! What kind of proxy setup are you testing there? – deceze Jul 19 '16 at 10:11
-
@deceze Don't know exactly, it's some days ago and the server was from a proxy-list. Now I'm developing using PHP and would like to prevent that a user can't access without an IP-Address. – HelloToYou Jul 19 '16 at 10:13
-
That problem mostly solves itself. (Putting aside all the possible asterisks about server misconfiguration etc. where PHP will simply not be passed the address by the web server.) If you don't know the IP address of the client, you cannot send them any response to their HTTP request. The responds needs to be delivered to an IP, and if the server doesn't know which IP to deliver the response to, it can't send any. Hence IP exchange is guaranteed in the TCP/IP protocol. – deceze Jul 19 '16 at 10:16
-
@DarkBee If you run from client, there is no TCP connection. – Daniel W. Jul 19 '16 at 10:32
-
@axiac you don't need a webserver filtering anything when you can see all the http headers with PHP itself `getallheaders();` – Daniel W. Jul 19 '16 at 10:36
1 Answers
0
There is always an IP, however when you have several layers of software the original IP can be lost on its way to PHP unless the software is configured correctly.
It's not uncommon to have a setup stack with Varnish > Nginx > PHP-FPM, where responds to the original request (and get the visitor IP) and then in turn contacts the web server (nginx) which in turn calls PHP-FPM. In all of these "forwards" each software must be configured to include the original IP in headers or otherwise.
This is what the HTTP headers X-Real-IP and X-Forwarded-For are used for.
(Nginx and other software has configuration directives and modules to help with the specific scenario I mentioned above.)
kb.
- 1,955
- 16
- 22