Show DevBest [PHP 7.3^] Kooser Directory.

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,400
962
Only on trusted proxies lol.
How do you know an IP address is a proxy if it hasn't already went through some kind of check?
Post automatically merged:

You can't spoof it if you validated the request came from the proxy in the first place. REMOTE_ADDR is fine if you aren't using a proxy/CDN, sadly most people do these days; so solely relying on REMOTE_ADDR won't do a lot for these setups if you're using it for fingerprinting (every session will be locked to the CDN's IP which breaks your implementation...).
Not hard to implement mod_remoteip.
 

Kooser6

New Member
Apr 14, 2019
19
1
You can't spoof it if you validated the request came from the proxy in the first place. REMOTE_ADDR is fine if you aren't using a proxy/CDN, sadly most people do these days; so solely relying on REMOTE_ADDR won't do a lot for these setups if you're using it for fingerprinting (every session will be locked to the CDN's IP which breaks your implementation...).

So using an `HTTP_` var is better. The var that can be spoofed. Read .
Post automatically merged:

How do you know an IP address is a proxy if it hasn't already went through some kind of check?
Post automatically merged:


Not hard to implement mod_remoteip.

`REMOTE_ADDR` is the most reliable way to get the users IP address, if it's a TRUSTED proxy then you check the proxy header. Notice all the top frameworks do this. I went to school for this i know my stuff lol.
 

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,400
962
So using an `HTTP_` var is better. The var that can be spoofed. Read .
Post automatically merged:



`REMOTE_ADDR` is the most reliable way to get the users IP address, if it's a TRUSTED proxy then you check the proxy header. Notice all the top frameworks do this. I went to school for this i know my stuff lol.
I'm specifically talking about your post "only trusted proxies" that was made in regards to me stating "he should still be checking proxies". How do you know it's a trusted proxy? You have to perform some kind of checks to verify this.

That's cool you went to school for this. This is a good release, despite what others may say.
 

Kooser6

New Member
Apr 14, 2019
19
1
You
I'm specifically talking about your post "only trusted proxies" that was made in regards to me stating "he should still be checking proxies". How do you know it's a trusted proxy? You have to perform some kind of checks to verify this.

That's cool you went to school for this. This is a good release, despite what others may say.

You have to add these proxies manually.
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Not hard to implement mod_remoteip.
Sure you could use modules too that works, but not everyone will be able to do that and people would also have to do more configuration to get it up and running.

So using an `HTTP_` var is better. The var that can be spoofed. Read .
Post automatically merged:



`REMOTE_ADDR` is the most reliable way to get the users IP address, if it's a TRUSTED proxy then you check the proxy header. Notice all the top frameworks do this. I went to school for this i know my stuff lol.
You ignored my post. Yes, REMOTE_ADDR is populated by the server so cannot be spoofed so it's the best if you're building it for yourself and know it'll always be correct. But if you're using a CDN and a vanilla server install it'll likely just be your provider's IP for all users. So if you're locking sessions to REMOTE_ADDR then you're not really locking anything, since all users will have the same IP...

If you validate the request came from the proxy (by checking it against the provider's IP ranges) & validating the relevant client headers are legitimate IP's - you'd be better using that approach.
 

Kooser6

New Member
Apr 14, 2019
19
1
I'm specifically talking about your post "only trusted proxies" that was made in regards to me stating "he should still be checking proxies". How do you know it's a trusted proxy? You have to perform some kind of checks to verify this.

That's cool you went to school for this. This is a good release, despite what others may say.

Look at this:
 

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,400
962
Sure you could use modules too that works, but not everyone will be able to do that and people would also have to do more configuration to get it up and running.
There is no reason to not have this task performed at the Apache level prior to it getting forked to a PHP process.
Look at this:
If a user uses this behind a hostname that goes through a CDN (ie - Cloudflare), the connecting user's IP address will always be a CF IP address. I don't know why you would want to manually configure/maintain a list of those IP addresses when you can use something like mod_remoteip.
 

Kooser6

New Member
Apr 14, 2019
19
1
Sure you could use modules too that works, but not everyone will be able to do that and people would also have to do more configuration to get it up and running.


You ignored my post. Yes, REMOTE_ADDR is populated by the server so cannot be spoofed so it's the best if you're building it for yourself and know it'll always be correct. But if you're using a CDN and a vanilla server install it'll likely just be your provider's IP for all users. So if you're locking sessions to REMOTE_ADDR then you're not really locking anything, since all users will have the same IP...

If you validate the request came from the proxy (by checking it against the provider's IP ranges) & validating the relevant client headers are legitimate IP's - you'd be better using that approach.

Please read .

`REMOTE_ADDR` is good for session locking.

It's an old post so i emailed them and they said its good.
 

MayoMayn

BestDev
Oct 18, 2016
1,423
683
What does my code look like?
Post automatically merged:



I think i found your way.



And you know you only run this against TRUSTED proxies. Key word.

Why? any HTTP headers come from the client and can be spoofed.

Look at:
Man, you gotta learn how to read.
When did I ever mention spoofing?
If you have your server sitting behind a NGINX proxy, and you don't/or do forward the request headers, then checking against $_SERVER['REMOTE_ADDR'] will be useless as it will always resolve to the IP of the proxy and not the incoming request.
That's why you check the x-forwarded-for header.

This is pretty basic stuff dude and the list of checks to do is long.
The thread you linked to is almost 3 years old btw.
 

Kooser6

New Member
Apr 14, 2019
19
1
Man, you gotta learn how to read.
When did I ever mention spoofing?
If you have your server sitting behind a NGINX proxy, and you don't/or do forward the request headers, then checking against $_SERVER['REMOTE_ADDR'] will be useless as it will always resolve to the IP of the proxy and not the incoming request.
That's why you check the x-forwarded-for header.

This is pretty basic stuff dude.

I am telling you what i can do if you check use the `HTTP_` vars (spoofing). They are unsafe.

The best and only way to check to see if `REMOTE_ADDR` is a trusted proxy, if it is then you get 'X_FORWARDED_ALL' header and use that. If it's not then you use `REMOTE_ADDR`. That's the bottom line truth.

If you say that this is not the way to do it then i guess laravel and symfony are completely wrong.
 

MayoMayn

BestDev
Oct 18, 2016
1,423
683
Please read .

`REMOTE_ADDR` is good for session locking.

It's an old post so i emailed them and they said its good.
You can't do session locking using REMOTE_ADDR if your server is behind a proxy...

Let's just leave it here ??
 

Kooser6

New Member
Apr 14, 2019
19
1
You can't do session locking using REMOTE_ADDR if your server is behind a proxy...

Let's just leave it here ??

You fail to listen to people who actually know what they are doing. But you keep doing your thing, beside we are off topic.
 

Kooser6

New Member
Apr 14, 2019
19
1
You can't spoof it if you validated the request came from the proxy in the first place. REMOTE_ADDR is fine if you aren't using a proxy/CDN, sadly most people do these days; so solely relying on REMOTE_ADDR won't do a lot for these setups if you're using it for fingerprinting (every session will be locked to the CDN's IP which breaks your implementation...).

Dude we are just gonna keep going back and forth. If it's better to do it that way how come Zend, CakePHP, Laravel, and Symfony don't do this.
You can think that validation is going to work but i guarantee your validation is not gonna work, and yes you can SPOOF the HTTP variable.
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
If it's better to do it that way how come Zend, CakePHP, Laravel, and Symfony don't do this.
They do exactly what I'm suggesting if you bothered to read source code:

And here's the code that validates whether the request originated from the proxy:


Not sure why you choose to blatantly ignore the facts, it's just a suggestion
 

Kooser6

New Member
Apr 14, 2019
19
1
They do exactly what I'm suggesting if you bothered to read source code:

And here's the code that validates whether the request originated from the proxy:


Not sure why you choose to blatantly ignore the facts, it's just a suggestion

Are you blind look at the code again it checks to see if the IP Is in the list of trusted proxies before using that code. Like I said you only run that code for trusted proxies. There is nothing wrong with the code you just have to use it the right way.

PHP:
public function getClientIps()
{
    $ip = $this->server->get('REMOTE_ADDR');
    if (!$this->isFromTrustedProxy()) {
        return [$ip];
    }
    return $this->getTrustedValues(self::HEADER_X_FORWARDED_FOR, $ip) ?: [$ip];
}
 
Last edited:

Weasel

👄 I'd intercept me
Nov 25, 2011
4,135
2,461
Guys, you guys are having a great discussion but please stop with the namecalling. Have a civil discussion about this, as it is honestly interesting to read. There's also no need to state how great you think you are. All that stuff will just cause this discussion to go to a heated situation.
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Are you blind look at the code again it checks to see if the IP Is in the list of trusted proxies before using that code. Like I said you only run that code for trusted proxies. There is nothing wrong with the code you just have to use it the right way. [/CODE]

That's literally what I told you to do and you disagreed with it?

"If you validate the request came from the proxy (by checking it against the provider's IP ranges) & validating the relevant client headers are legitimate IP's - you'd be better using that approach." - ( )
 

Kooser6

New Member
Apr 14, 2019
19
1
That's literally what I told you to do and you disagreed with it?

"If you validate the request came from the proxy (by checking it against the provider's IP ranges) & validating the relevant client headers are legitimate IP's - you'd be better using that approach." - ( )

All you do is check to see if `REMOTE_ADDR` is in the trusted proxy list. It's pointless to validate `REMOTR_ADDR`.
 
Last edited:

Users who are viewing this thread

Top