0

I have Laravel application and I want to use php artisan up and php artisan down commands from separated PHP script on the /public folder like the following:

<?php
// /public/stop.php
if (!isset($_GET['state'])){
    exec(('cd ../ ; php artisan down --message "Recovery and Updating. Please try again later."'));
    header('Location:/');
}
else{
    exec(('cd ../ ; php artisan up'));
    header('Location:/');
}

The above script is accssible via: http://example.com/stop.php Now I want to use $_SERVER['REMOTE_ADDR'] to check the client's IP address, to restrict access to this script from localhost i.e 127.0.0.1 like the following:

<?php
if ($_SERVER['REMOTE_ADDR'] != '127.0.0.1'){
die('Error: It could not be executed.');
}

Regarding security concerns, about faking the IP from the client side. This question: How to fake $_SERVER['REMOTE_ADDR'] variable? confuses me, while this answer said it possible to make fake IP, that answer said it is not possible!

So, I need clear answer, could any someone able to trick Apache or PHP and make it get a fake IP?

Notice: My server is Apache server and PHP is 7.0.

Notice 2: This question is another approach than this How to get the client IP address in PHP? It is meant by faking the IP from the client not how to get the IP.

SaidbakR
  • 13,303
  • 20
  • 101
  • 195
  • @NigelRen It is another approach than the question that you regarded. Here I am not meant by getting the IP itself, here I meant by faking it! – SaidbakR Mar 28 '18 at 16:01
  • 1
    If this is about implementing a maintenance mode and testing the site from a single IP address, then you should not do that in PHP but on the level of the http server. – arkascha Mar 28 '18 at 16:01
  • There is quite a bit of information on the duplicate which gives details/concerns about security issues of using the various methods of checking the remote IP address. – Nigel Ren Mar 28 '18 at 16:03
  • The answer that says that it is possible goes to quite some lengths to explain that it takes quite some work and network privilege to be able to fake the IP. *Practically speaking* it's *probably* not possible to fake it; but technically speaking given the right circumstances it can be. – Having said all this, if you can access the script exclusively locally anyway, why go through the trouble of exposing it over an HTTP server anyway and not simply execute a command line command, which is all this script is doing anyway?! – deceze Mar 28 '18 at 16:05
  • @deceze because this is prototype case. i.e in the future the check may be done through a list of allowed IPs. In other words, I don't want the application's administrator have to use the command line. – SaidbakR Mar 28 '18 at 16:08

0 Answers0