Ecko
23:37 [autobots] -!- eckostylez [[email protected]]
- Nov 25, 2012
- 1,396
- 960
How do you know an IP address is a proxy if it hasn't already went through some kind of check?
Post automatically merged:
Not hard to implement mod_remoteip.
Kooser6
New Member
- Apr 14, 2019
- 19
- 1
- Thread starter
- #22
So using an `HTTP_` var is better. The var that can be spoofed. Read
You must be registered for see links
.
Post automatically merged:
`REMOTE_ADDR` is the most reliable way to get the users IP address, if it's a TRUSTED proxy then you check the proxy header. Notice all the top frameworks do this. I went to school for this i know my stuff lol.
Ecko
23:37 [autobots] -!- eckostylez [[email protected]]
- Nov 25, 2012
- 1,396
- 960
I'm specifically talking about your post "only trusted proxies" that was made in regards to me stating "he should still be checking proxies". How do you know it's a trusted proxy? You have to perform some kind of checks to verify this.
That's cool you went to school for this. This is a good release, despite what others may say.
BIOS
ಠ‿ಠ
- Apr 25, 2012
- 906
- 247
Sure you could use modules too that works, but not everyone will be able to do that and people would also have to do more configuration to get it up and running.
You ignored my post. Yes, REMOTE_ADDR is populated by the server so cannot be spoofed so it's the best if you're building it for yourself and know it'll always be correct. But if you're using a CDN and a vanilla server install it'll likely just be your provider's IP for all users. So if you're locking sessions to REMOTE_ADDR then you're not really locking anything, since all users will have the same IP...
If you validate the request came from the proxy (by checking it against the provider's IP ranges) & validating the relevant client headers are legitimate IP's - you'd be better using that approach.
Ecko
23:37 [autobots] -!- eckostylez [[email protected]]
- Nov 25, 2012
- 1,396
- 960
There is no reason to not have this task performed at the Apache level prior to it getting forked to a PHP process.
If a user uses this behind a hostname that goes through a CDN (ie - Cloudflare), the connecting user's IP address will always be a CF IP address. I don't know why you would want to manually configure/maintain a list of those IP addresses when you can use something like mod_remoteip.
MayoMayn
BestDev
- Oct 18, 2016
- 1,423
- 683
Man, you gotta learn how to read.
When did I ever mention spoofing?
If you have your server sitting behind a NGINX proxy, and you don't/or do forward the request headers, then checking against $_SERVER['REMOTE_ADDR'] will be useless as it will always resolve to the IP of the proxy and not the incoming request.
That's why you check the x-forwarded-for header.
This is pretty basic stuff dude and the list of checks to do is long.
The thread you linked to is almost 3 years old btw.
Kooser6
New Member
- Apr 14, 2019
- 19
- 1
- Thread starter
- #30
I am telling you what i can do if you check use the `HTTP_` vars (spoofing). They are unsafe.
The best and only way to check to see if `REMOTE_ADDR` is a trusted proxy, if it is then you get 'X_FORWARDED_ALL' header and use that. If it's not then you use `REMOTE_ADDR`. That's the bottom line truth.
If you say that this is not the way to do it then i guess laravel and symfony are completely wrong.
MayoMayn
BestDev
- Oct 18, 2016
- 1,423
- 683
You can't do session locking using REMOTE_ADDR if your server is behind a proxy...
Let's just leave it here ??
MayoMayn
BestDev
- Oct 18, 2016
- 1,423
- 683
Yep, you definitely know what you're doing.
Kooser6
New Member
- Apr 14, 2019
- 19
- 1
- Thread starter
- #34
Dude we are just gonna keep going back and forth. If it's better to do it that way how come Zend, CakePHP, Laravel, and Symfony don't do this.
You can think that validation is going to work but i guarantee your validation is not gonna work, and yes you can SPOOF the HTTP variable.
BIOS
ಠ‿ಠ
- Apr 25, 2012
- 906
- 247
They do exactly what I'm suggesting if you bothered to read source code:
You must be registered for see links
And here's the code that validates whether the request originated from the proxy:
You must be registered for see links
Not sure why you choose to blatantly ignore the facts, it's just a suggestion
Kooser6
New Member
- Apr 14, 2019
- 19
- 1
- Thread starter
- #36
Are you blind look at the code again it checks to see if the IP Is in the list of trusted proxies before using that code. Like I said you only run that code for trusted proxies. There is nothing wrong with the code you just have to use it the right way.
PHP:
public function getClientIps()
{
$ip = $this->server->get('REMOTE_ADDR');
if (!$this->isFromTrustedProxy()) {
return [$ip];
}
return $this->getTrustedValues(self::HEADER_X_FORWARDED_FOR, $ip) ?: [$ip];
}
Last edited:
Weasel
👄 I'd intercept me
- Nov 25, 2011
- 4,132
- 2,456
Guys, you guys are having a great discussion but please stop with the namecalling. Have a civil discussion about this, as it is honestly interesting to read. There's also no need to state how great you think you are. All that stuff will just cause this discussion to go to a heated situation.
BIOS
ಠ‿ಠ
- Apr 25, 2012
- 906
- 247
That's literally what I told you to do and you disagreed with it?
"If you validate the request came from the proxy (by checking it against the provider's IP ranges) & validating the relevant client headers are legitimate IP's - you'd be better using that approach." - (
You must be registered for see links
)
