All geek questions in one place

Can we trick $ _SERVER ['REMOTE_ADDR'] / user ip with php cURL?

Well, the name basically talks about it.

But for more information.,

This method works, but ..

$ip = '1.1.1.1'; curl_setopt($handle, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $ip", "X_FORWARDED_FOR: $ip"));

It only adds these two keys to the $_SERVER

  • HTTP_REMOTE_ADDR
  • HTTP_X_FORWARDED_FOR

The key REMOTE_ADDR is still the same.

Can I change REMOTE_ADDR ? The answer here is NO . But the comment also says that It can, however, NOT be the real IP address of the user , because it can be hidden by proxies and other methods. This is why the general rule does not depend on $_SERVER['REMOTE_ADDR'] for the security function.

With all this, is there a curl php method that also hides / masks / changes ip? (any php method other than the above code will do.)

AND

Is there a way to counter the method OR Is there a way to get the user's ACTUAL REAL IP ?

Hooray!

+6
source share
2 answers

No. $_SERVER['REMOTE_ADDR'] is the actual physical IP address used by the client to connect to the web server, as confirmed by the TCP three-way handshake. There is no way to fake this by setting simple HTTP headers. You also cannot force webserver / PHP to overwrite this value in any other way. $_SERVER['REMOTE_ADDR'] set from the information of the TCP connection, period.

In order to actually trick the IP address, you need to penetrate much deeper into the real network layer and have some level of control over the network equipment / person in the middle positions / proxies / whatnot, in order to actually be able to establish a TCP connection from the IP address different from the one you install it from.

Is there a way to counter the method OR Is there a way to get the user's ACTUAL REAL IP?

No. "Actual user IP address" is the address to which your web server received a connection from the period. There is no other address for you. The client connects to your server from a specific IP address, this is confirmed by the three-way handshake of TCP, which is the only address that you know for this client. This client can be a proxy server or a NAT router (i.e. a proxy server) or something else, you simply do not know and should not have any meaning for you.

+17
source

If the client uses the browser behind the proxy server, $_SERVER['REMOTE_ADDR'] will be the IP address of the proxy server. The remote address is the IP address of the machine that creates the connection.

If the proxy uses headers to indicate whether a connection is being made to other computers, you can use these headers to determine the IP address of the browser behind the proxy server.

  • Some of these HTTP headers are converted to environment variables, such as $_SERVER['HTTP_X_FORWARDED_FOR'] , $_SERVER['HTTP_X_FORWARDED'] , $_SERVER['HTTP_FORWARDED_FOR'] and $_SERVER['HTTP_FORWARDED']
  • You can check if some of these variables are defined by the server and (try) determine the browser IP address behind the proxy server.

Note that RFC 6648 rejected the X-* headers and RFC 7239 deprecated the X-Forwarded-* by specifying the Forwarded header.

You can check the answers to

0
source

Source: https://habr.com/ru/post/952019/

More articles:


All Articles