3

I need to get my users IP address'.

I found this article How to get Client Ip Address in Laravel 5.1?

The above mentioned article uses the Request::ip();

However, this method returns my servers IP address. From what I can understand from other sources, this happens when the site is localhost - but the site is hosted and is live on a server.

This site is live and online, but it might refer to localhost, as the site might be sitting on its own server (I dont have any experience in server config to know if this is true or not, just a guess).

When I connect to the DB Host, I do so using localhost referencing as well, and not something like mysql.phpmyadmin.hosting.com as DB Host. Therefore, my guess is, that the Request::ip(); returns the server ip, because the site somehow is sitting localhost.

However, if I use $_SERVER['HTTP_X_FORWARDED_FOR']; I get the correct IP address.

Now to my final question: Is this safe to use? Is there another way to use a Laravel function to make this request?

From what I can understand, the $_SERVER['HTTP_X_FORWARDED_FOR']; can have security holes, according to How to get the client IP address in PHP?.

Can I use $_SERVER['HTTP_X_FORWARDED_FOR']; safely without worrying? If not, what other way could I go, to get the users IP address safely?

Community
  • 1
  • 1
Patrick
  • 781
  • 2
  • 5
  • 23
  • `$_SERVER['REMOTE_ADDR']` is more reliable than `$_SERVER['HTTP_X_FORWARDED_FOR']`. – Eli Sadoff Jan 19 '17 at 17:56
  • Are you using a load balancer that redirects requests to your web server by any chance? – Paras Jan 19 '17 at 17:56
  • @EliSadoff `Request::ip()` uses `$_SERVER['REMOTE_ADDR']`. In a proxied/load-balanced scenario, like OP's, the remote address of the connection will be the proxy/load balancer. – ceejayoz Jan 19 '17 at 17:56
  • @ceejayoz Oh that makes sense. Unfortunately using `$_SERVER['HTTP_X_FORWARDED_FOR']` allows for easy spoofing. – Eli Sadoff Jan 19 '17 at 17:57
  • some hoster configuration use a proxy. So the `REMOTE_ADDR` is in this example the server ip. You can use `HTTP_X_FORWARDED_FOR`. Its not a big deal (for me). – Sysix Jan 19 '17 at 17:58

1 Answers1

8

The risk with X-Forwarded-For is that a user could create the header themselves, and thus pass along any IP they wish.

The solution is to only trust the header when REMOTE_ADDR is that of your trusted proxy. There's a Laravel package that lets you enforce this restriction.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
  • Thanks for your answer and I see. However, would there be any serious security holes for X-Forwarded-For? What I am doing, is simply saving the IP address in a database. Im thinking that if they change the IP address, it wouldn't be a big deal, just some counting inconsistencies, but nothing serious - however if this leads to them being able to somehow access the database or other serious security holes, by implementing code in the database, then X-Forwarded-For wouldn't work at all ofc. Looking forward to your answer :) – Patrick Jan 19 '17 at 18:06
  • @Patrick Just data integrity, to my knowledge. If you don't care that a user might spoof an IP that winds up in your database, it should be safe. – ceejayoz Jan 19 '17 at 18:11
  • Ive tried to do what you are mentioning, by tampering the data, using something like "tamper data" - but it seems to be more advanced to do this and just a simple tamper? Please correct me if im wrong :) – Patrick Jan 19 '17 at 18:11
  • @Patrick It takes some doing. It sounds like your host has a proxy or load-balancer in front of your server, so attempting to set an `X-Forwarded-For` is going to be ignored by that device. You'd have to bypass it by hitting the server itself directly. There *are* more subtle vulnerabilities you might have in your code, so you should still exercise caution - http://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html for example, was a vulnerabilty right here on SO. – ceejayoz Jan 19 '17 at 18:14