Show DevBest [PHP - PDO] VPN/Proxy Restriction

[MayoMayn]

Since y'all got me in a good mood, I'm going to release this script that I coded.
For more information about how this service works check out the website that checks the IP's:

You must be registered for see links

Okay, so first off we gotta create a function called getIP()

public function getIP() 
    {
        //Just get the headers if we can or else use the SERVER global
        if(function_exists('apache_request_headers')) {
            $headers = apache_request_headers();
        } else {
            $headers = $_SERVER;
        }
        //Get the forwarded IP if it exists
        if(array_key_exists('X-Forwarded-For', $headers) && filter_var($headers['X-Forwarded-For'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
            $ip = $headers['X-Forwarded-For'];
        } elseif(array_key_exists('HTTP_X_FORWARDED_FOR', $headers) && filter_var($headers['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
            $ip = $headers['HTTP_X_FORWARDED_FOR'];
        } else {
            $ip = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
        }

        return $ip;
    }

Okay, so in the same class, create a function called curl()

public function curl($url, $json=false)
{
        //Check if server has curl library installed
        if(function_exists('curl_init')) {
            // Initiate curl
            $ch = curl_init();
            // Disable SSL verification
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            // Will return the response, if false it prints the response
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            // Set the url
            curl_setopt($ch, CURLOPT_URL, $url);
            // Execute
            $response = curl_exec($ch);
            // Close curl
            curl_close($ch);
        } else {
            // Ordinary get content
            $response = file_get_contents($url);
        }

        if($json == true) {
            //Return as JSON data.
            $response = json_decode($response, true);
        }

        return $response;
    }

So for the second last step, we gotta create a function called validIP() which validates the visitors IP

public function validIP()
{
        $db = $this->db;
        $config = $this->config;
        $uip = $this->getIP();
        //Check if session variables are set
        if(isset($_SESSION['ip_banned']) && isset($_SESSION['visitor_ip']) && $_SESSION['visitor_ip'] === $uip) {
            if($_SESSION['ip_banned'] == 0) {
                $ipBanned = 0;
                $status = true;
            } else {
                $ipBanned = 1;
                $status = false;
            }
        } else {
            //Check if Visitor exists inside our Database Table
            $stmt = $db->query("SELECT `banned`,`result` FROM `visitor_ips` WHERE `ip` = :ip LIMIT 1");
            $stmt->bindParam(':ip', $uip, $db->PARAM_STR);
            $stmt->execute();
            if($stmt->rowCount() > 0) {
                $ip = $db->assoc($stmt);
                if($ip['banned'] == '0' && $ip['result'] < '1') {
                    $ipBanned = 0;
                    $status = true;
                } else {
                    $ipBanned = 1;
                    $status = false;
                }
            } else {
                //Get url for IP Validation
                $url = 'https://check.getipintel.net/check.php?ip='.$uip.'&flags=f&format=json&oflags=bc&contact='.$config->hotel('mail');
                //Initiate
                $json = $this->curl($url, true);

                if($json['status'] == "success") {
                    if($json['BadIP'] == "0") {
                        $continue = true;
                        if($config->hotel('c_allow_check') == true) {
                            if(!in_array($json['Country'], $config->hotel('c_allow'))) {
                                $continue = false;
                                $ipBanned = 1;
                            }
                        }
                        if($continue == true) {
                            if($json['result'] >= '1') {
                                $ipBanned = 1;
                            } else {
                                $ipBanned = 0;
                            }
                        }
                    } else {
                        $ipBanned = 1;
                    }
                } else {
                    $ipBanned = 0;
                }
                // If Visitor does not exists in our table insert them into.
                $stmt = $db->query("INSERT INTO `visitor_ips` (`ip`,`banned`,`result`,`agent`) VALUES (:ip,:b,:r,:a)");
                $data = [
                    ':ip' => $uip,
                    ':b' => $ipBanned,
                    ':r' => $json['result'],
                    ':a' => $_SERVER['HTTP_USER_AGENT']
                ];
                if($stmt->execute($data)) {
                    if($ipBanned == 0) {
                        $status = true;
                    } else {
                        $status = false;
                    }
                }
            }
            $_SESSION['visitor_ip'] = $uip;
            $_SESSION['ip_banned'] = $ipBanned;
        }

        return $status;
    }

Run this SQL as a query to create the table needed.

DROP TABLE IF EXISTS `visitor_ips`;
CREATE TABLE `visitor_ips` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `ip` varchar(45) NOT NULL,
  `banned` enum('0','1') NOT NULL,
  `result` varchar(255) NOT NULL,
  `agent` text NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

For this to work, you gotta recode the MySQL queries so it works for your own service.
By researching, you can create the most amazing stuff.

 

[Hender]

Nice script this could be very useful for some on my projects, thank you.

 

[CokeSK8]

This is very useful for me and my new project thank you very much for the contribution

 

[MayoMayn]

For further usage, I've updated the validation of the getIP function, since it returned some flaws on mine.
 
Instead of creating a whole other thread, I might aswell just post it here as it serves the same purpose.
Basically I've coded this as a detection package for NodeJS that can be found here:

You must be registered for see links

Currently waiting for to receive the "proxy-detection" package name.

 

[Weasel]

For further usage, I've updated the validation of the getIP function, since it returned some flaws on mine.
 
Instead of creating a whole other thread, I might aswell just post it here as it serves the same purpose.
Basically I've coded this as a detection package for NodeJS that can be found here:

You must be registered for see links

Currently waiting for to receive the "proxy-detection" package name.

I think it's better to create a seperate thread for it, easier to find! You're really getting into Node.

 

[MayoMayn]

I think it's better to create a seperate thread for it, easier to find! You're really getting into Node.

Might aswell do, and yeah Node is fucking sweet.

 

[7r1n17y]

You should not use this because $_SERVER['HTTP_X_FORWARDED_FOR'] or $_SERVER['HTTP_CLIENT_IP'] can be edited by the connecting user witch opens up a security risk. The best way to the IP address is $_SERVER['REMOTE_ADDR']. Anything that is a HTTP var can be edited by the user.

 

[7r1n17y]

You clearly know jack shit of PHP mate.
Maybe you should try to research the big differences between HTTP_X_FORWARDED_FOR, HTTP_CLIENT_IP and REMOTE_ADDR before you comment more shit.

Actually i am right if you look at this post and look at the best answer it show which vars are a risk

You must be registered for see links

. Before hating on my comment check your sources. Let me put it like this. The risk with X-Forwarded-For is that a user could create the header themselves, and thus pass along any IP they wish. Just like my first comment on the other thread security depends on the idiot programming it.

 

[MayoMayn]

Actually i am right if you look at this post and look at the best answer it show which vars are a risk

You must be registered for see links

. Before hating on my comment check your sources. Let me put it like this. The risk with X-Forwarded-For is that a user could create the header themselves, and thus pass along any IP they wish. Just like my first comment on the other thread security depends on the idiot programming it.

You still keep avoiding your own statement. You clearly don't know the differences between the various server variables. If you could read PHP code, you would then realize the IP is being validated. Second of all, if it's not even a valid IP in the end, the getipintel will return it as a failed attempt.

I get it, you think you know everything because you can figure out how to research. Let me tell you something, if you don't even know what the hell you're searching for in the end that is relevant to the topic, then it doesn't even matter.

Do some research and come up with a better solution for receiving the users IP in PHP. That is the only way that validates the IP correctly depending on your own server, and if the visitor is using a proxy or VPN.

Tell me, what is the purpose of HTTP_X_FORWARDED_FOR vs HTTP_CLIENT_IP vs REMOTE_ADDR

This is an old script I created that could easily be improved if I bothered to code PHP again, but I cba.

 

[Weasel]

Thread cleaned. Please read the OP before you post on a thread.

 

[Ari]

I assume this looks up the IP and checks whether it is a known VPN or datacenter IP?
To get true vpn/proxy protection you should block all datacenter IPs and only allow residential ones.

 

[MayoMayn]

I assume this looks up the IP and checks whether it is a known VPN or datacenter IP?
To get true vpn/proxy protection you should block all datacenter IPs and only allow residential ones.

Instead of asking such a question, you should visit their website to read the answer.

You must be registered for see links

 

[Paypal]

Very useful for one of my projects

 

[Jerry]

This can be very useful. Thank you.

 

[Seriosk]

It's useful sure, just the fact is also blocks vps servers and tore nodes would be an issue for me. Anyway.. good job.

 

[Zombzon]

To verify, try it:
$proxy_ports = array(80, 8080, 443); // if necessary add ports
foreach($proxy_ports as $i=>$v) {
if($_SERVER['REMOTE_PORT'] == $v) die('VPNs are not allowed!');
}
$proxy_headers = array(
'HTTP_VIA',
'HTTP_X_FORWARDED_FOR',
'HTTP_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_FORWARDED',
'HTTP_CLIENT_IP',
'HTTP_FORWARDED_FOR_IP',
'VIA',
'X_FORWARDED_FOR',
'FORWARDED_FOR',
'X_FORWARDED',
'FORWARDED',
'CLIENT_IP',
'FORWARDED_FOR_IP',
'HTTP_PROXY_CONNECTION'
);
foreach($proxy_headers as $i=>$v) {
if(isset($_SERVER[$v])) die('VPNs are not allowed!');
}

 

[Seriosk]

To verify, try it:
$proxy_ports = array(80, 8080, 443); // if necessary add ports
foreach($proxy_ports as $i=>$v) {
if($_SERVER['REMOTE_PORT'] == $v) die('VPNs are not allowed!');
}
$proxy_headers = array(
'HTTP_VIA',
'HTTP_X_FORWARDED_FOR',
'HTTP_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_FORWARDED',
'HTTP_CLIENT_IP',
'HTTP_FORWARDED_FOR_IP',
'VIA',
'X_FORWARDED_FOR',
'FORWARDED_FOR',
'X_FORWARDED',
'FORWARDED',
'CLIENT_IP',
'FORWARDED_FOR_IP',
'HTTP_PROXY_CONNECTION'
);
foreach($proxy_headers as $i=>$v) {
if(isset($_SERVER[$v])) die('VPNs are not allowed!');
}

Could of at least used the [] CODE tags, anyway.. this can easily be bypassed.

 

[Zombzon]

Could of at least used the [] CODE tags, anyway.. this can easily be bypassed.

Mmh yes, sadly..
I don't know of any other solution, but I think there is another solution..

 

[Ecko]

To verify, try it:
$proxy_ports = array(80, 8080, 443); // if necessary add ports
foreach($proxy_ports as $i=>$v) {
if($_SERVER['REMOTE_PORT'] == $v) die('VPNs are not allowed!');
}
$proxy_headers = array(
'HTTP_VIA',
'HTTP_X_FORWARDED_FOR',
'HTTP_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_FORWARDED',
'HTTP_CLIENT_IP',
'HTTP_FORWARDED_FOR_IP',
'VIA',
'X_FORWARDED_FOR',
'FORWARDED_FOR',
'X_FORWARDED',
'FORWARDED',
'CLIENT_IP',
'FORWARDED_FOR_IP',
'HTTP_PROXY_CONNECTION'
);
foreach($proxy_headers as $i=>$v) {
if(isset($_SERVER[$v])) die('VPNs are not allowed!');
}

This is useless if you are using Nginx or Varnish as a reverse proxy to your web server.

 

[Ilker927319]

Do you also have a picture for what it looks like when the script blocks you?