Is the web server variable $_SERVER['REMOTE_ADDR'] reliable?

Question

I have generally assumed that in a PHP script I can test $_SERVER['REMOTE_ADDR'] to establish the IP address from which the request originated. However, I am starting to wonder if things are not a bit more complicated. Here is the scenario

• I run a number of servers, call them A, B and C - on which users have to be "registered"
• I run a separate registration server, call it S, where the users' credentials etc are first verified prior to sending out a complete registration request to servers A, B and C

The request goes out as

file_get_contents('https://url?data=value')

On servers A, B and C I was quite naively testing $_SERVER['REMOTE_ADDR'] to establish that the request was in fact coming from server S. Much to my surprise the results turned out to be patchy and variable

1. The value in REMOTE_ADDR was the IP address of the human user interacting with the registration server, S
2. The value in REMOTE_ADDR was the IP address of the registration server, S - what I had expected to see all the time
3. The value in REMOTE_ADDR was another IP address from the pool of IP addresses on the virtual server where I host server S

I don't really need to perform this additional verification test so I can drop it out altogether. Nevertheless this result has taken me by surprise so I am curious to see if someone here can shed some light on what is going on.

I should mention that I am running PHP 5.5 on Lighttpd on servers A, B and C and PHP 5.3 on Apache 2 on server S.

Answer 1

REMOTE_ADDR is a variable that Apache (or any other web container) fills, it contains the IP address of the terminal at the other end of the communication.

Is it reliable? Yes.

Is it secure? Depends, if you use it thinking that it presents you with the IP address of the user making the call, you're wrong, any proxy standing in the way will corrupt the information.

In your case, the server emitting the HTTP call should provide its IP address, so scenario 2 should happen all the time. I don't know what went wrong at what moment but its weird.

To respond to Dany Caissy, don't rely on HTTP_X_FORWARDED_FOR, it can easily be modified as it's an HTTP header, and not a TCP/IP property.

Answer 2

REMOTE_ADDR isn't the only way to get the IP Address, there are also :

HTTP_CLIENT_IP
HTTP_X_FORWARDED_FOR
HTTP_X_FORWARDED
HTTP_X_CLUSTER_CLIENT_IP
HTTP_FORWARDED_FOR
HTTP_FORWARDED

They are set in different ways and can mean different things, ultimately, it is very difficult to get the IP Address you want to have.

EDIT : The only one of them that is reliable and can't be modified by the user is REMOTE_ADDR, but it won't always do exactly what you want, so you'll HAVE to use the other ones, no matter how 'unsafe' everyone says they are.