I have generally assumed that in a PHP script I can test $_SERVER['REMOTE_ADDR']
to establish the IP address from which the request originated. However, I am starting to wonder if things are not a bit more complicated. Here is the scenario
The request goes out as
file_get_contents('https://url?data=value')
On servers A, B and C I was quite naively testing $_SERVER['REMOTE_ADDR']
to establish that the request was in fact coming from server S. Much to my surprise the results turned out to be patchy and variable
REMOTE_ADDR
was the IP address of the human user interacting with the registration server, S
REMOTE_ADDR
was the IP address of the registration server, S - what I had expected to see all the time
REMOTE_ADDR
was another IP address from the pool of IP addresses on the virtual server where I host server S
I don't really need to perform this additional verification test so I can drop it out altogether. Nevertheless this result has taken me by surprise so I am curious to see if someone here can shed some light on what is going on.
I should mention that I am running PHP 5.5 on Lighttpd on servers A, B and C and PHP 5.3 on Apache 2 on server S.
REMOTE_ADDR
is a variable that Apache (or any other web container) fills, it contains the IP address of the terminal at the other end of the communication.
Is it reliable? Yes.
Is it secure? Depends, if you use it thinking that it presents you with the IP address of the user making the call, you're wrong, any proxy standing in the way will corrupt the information.
In your case, the server emitting the HTTP call should provide its IP address, so scenario 2 should happen all the time. I don't know what went wrong at what moment but its weird.
To respond to Dany Caissy, don't rely on HTTP_X_FORWARDED_FOR
, it can easily be modified as it's an HTTP header, and not a TCP/IP property.
REMOTE_ADDR isn't the only way to get the IP Address, there are also :
HTTP_CLIENT_IP
HTTP_X_FORWARDED_FOR
HTTP_X_FORWARDED
HTTP_X_CLUSTER_CLIENT_IP
HTTP_FORWARDED_FOR
HTTP_FORWARDED
They are set in different ways and can mean different things, ultimately, it is very difficult to get the IP Address you want to have.
EDIT : The only one of them that is reliable and can't be modified by the user is REMOTE_ADDR, but it won't always do exactly what you want, so you'll HAVE to use the other ones, no matter how 'unsafe' everyone says they are.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With