Menu
If Request.ServerVariables["HTTP_X_FORWARDED_FOR"] returns multiple ip's, which one do I take and how would I do it in c#? It is my understanding that if it is blank or null, then the client computer is not going through a proxy and I can just get their ip from Request.ServerVariables["REMOTE_ADDR"]. Is this a correct statement?
By "which one do I take", I mean do I take the first IP in the list or the last IP and is all I have to do is just split it into an array and take the one I want. I am not really sure how HTTP_X_FORWARDED_FOR works.
658
You can assign a secondary private IPv4 address to any network interface. The network interface does not need to be attached to the instance. You can assign multiple IPv6 addresses to a network interface that's in a subnet that has an associated IPv6 CIDR block.
Of course it can. Although it is not at all recommended to assign multiple IP addresses on a computer until there are multiple network interface cards or NICs installed in it, you can still do so. The reason why it is not recommended to have multiple IP addresses on a single network adapter is to avoid the bottlenecks.
Your ISP has several public addresses that it uses to NAT outbound connections from its users. In such a situation a user (i.e. you) doesn't get a public address and can therefore not accept any inbound connections for e.g. you camera. Your internet connection is outbound-only.
Click on "Advanced" near the bottom of the "Internet Protocol (TCP/IP) Properties" window. Click on "Add" under the IP addresses section at the top of the window. Enter an IP address and subnet mask that is on the secondary network you wish to communicate with. Click "add" on the "TCP/IP Address" window.
According to this, the format of X-Forwarded-For HTTP header is:
X-Forwarded-For: client1, proxy1, proxy2, ... So the IP address of the client that you want should be the first one in the list
200
A further note on the reliability subject:
Anyone can forge HTTP_X_FORWARDED_FOR by using a tool such as the Firefox plugin "Tamper Data" or their own local proxy (e.g. Privoxy). This means that the entire string might be fake, and REMOTE_ADDR is the actual original host. It might also mean that the first "client1" address is faked, and then the client connected through a proxy, resulting in proxy1 being the client's IP address and REMOTE_ADDR being the single proxy used.
If you are looking to deny access based on IP, I would suggest checking every IP address in the XFF header as well as REMOTE_ADDR.
If you're looking to grant access based on the region of an IP, I'd suggest allowing access only if XFF is blank and the IP is from the proper area.
As Mastermind already noted, however, there are proxies which will hide the chain of proxies. For instance, the Tor network will make a request appear as if it came from the final proxy machine, rather than the original IP. Anonymizing proxies will often claim they are forwarding for the same IP as reported in REMOTE_ADDR.
IP based filtering is generally a pretty crude, last-resort mechanism of access control.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
