-1

So I was using php and was trying to store peoples ip so that I can make the verification of emails and changing of passwords via email more secure but I was getting a different value with REMOTE_ADDR at certain times.

I came across this: How to get the client IP address in PHP

And someone stated: enter image description here

How would I be able to do this? (Ensuring that my SAPI is configured to show actual ip of TCP connection). I'm currently using aws to host my php website, (ec2, load balancer, cloudfront, etc). Any links to any source would be nice.

SirSpeciam
  • 169
  • 10
  • 1
    _“trying to store peoples ip so that I can make the verification of emails and changing of passwords via email more secure”_ - that would be assuming that those mails get reacted to immediately, while the user is still using the same internet connection. There is probably _a lot_ of cases in the real world, where that will not be the case. – CBroe Jun 23 '20 at 07:11
  • Aren’t people going to be using the same internet connection? Also I need to store ips for another thing. There are videos on my website and I keep track of how many seconds someone watched them for. It checks if a second was counted with a certain ip so that it doesn’t actually count multiple times (meaning you can’t open 2 tabs and watch the same video to manipulate it). I wanted to use REMOTR ADDR (nothing else because they can be changed) to show the ip of the actual user, but it does not and I wanted to know how to do that. I do not know how I could have been more clear. – SirSpeciam Jun 23 '20 at 16:33

1 Answers1

2

There are 3 variables that may contain this in PHP

  • $_SERVER['REMOTE_ADDR'] - The IP address that connected to this server
  • $_SERVER['HTTP_X_FORWARDED_FOR'] - The results of the X-Forwarded-For header, this contains the IP addresses that traffic transited through to reach your server. It will be separated by , with the first IP address being the clients.
  • $_SERVER['HTTP_CLIENT_IP'] - The results of the Client-Ip header, this contains the IP address of the client if the source proxy added the header.

Remember that any headers can be faked should find another way to validate the source is true.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • I was asking how to make REMOTE ADDR return the actual ip of the user and if it was possible to configure it anywhere to do that. But anyway, how would I be able to validate $_SERVER(‘HTTP- methods as you mentioned? – SirSpeciam Jun 23 '20 at 16:37
  • The `REMOTE_ADDR` will only return the real IP if you directly connect to the server i.e. no load balancer. Generally the choices are either that the request is signed or that you can validate the 'X-Forwarded-For' through the other IPs in the path to ensure that they are from ranges you would expect. – Chris Williams Jun 23 '20 at 16:42
  • What about enabling proxy protocol on an elastic load balancer? Would that be able to show the client's actual ip with remote_addr? I don't know how websites are able to do this because I'm quite sure they can store ips securely. – SirSpeciam Jun 23 '20 at 17:56
  • This is correct for Network Load Balancers as long as there is no other resources in front. By enabling ProxyProtocolv2 the source IP will be forwarded to be used here :) – Chris Williams Jun 23 '20 at 17:57
  • So would cloudfront interfere with that? – SirSpeciam Jun 23 '20 at 17:59
  • Yes CloudFront would definitely interfere with this, it will set the X-Forwarded-For header to forward both the clients IP and its own IP. However, as I said earlier this can be spoofed. Some people will use a Lambda@Edge function in CloudFront to create a signed header so that your backend application can trust the X-Forwarded-For header. It all depends how important the validation is for you. – Chris Williams Jun 23 '20 at 18:03
  • Oh, the signed header will be useful then. Could you link me something to help me with that? – SirSpeciam Jun 23 '20 at 18:19
  • Heres an example of adding a header through Lambda@Edge: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html#lambda-examples-header-based-on-query-string. You would need to decide how you want to sign it (is it a secret vs do you do calculations based on request metadata). Heres a getting started guide: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-how-it-works-tutorial.html. You would want it to be done at the "Origin Request" event most likely – Chris Williams Jun 23 '20 at 18:27