Programs or scripts that wish to record the client's IP address often resort to extracting the value of the $REMOTE_ADDR variable which is provided by the Apache web server in the program's environment. This variable only contains the IP address of the "last hop", though. If the client arrived over one or more HTTP proxies, the value will not be correct. IMHO(In My Humble Opinion) there is no foolproof method for determining the real address of the client, but many proxies such as Squid and Pound add the client's address to an X-Forwarded-For header. That then contains a list of IP addresses the client has passed through. In PHP I don't use $_SERVER['REMOTE_ADDR'], instead resorting to a small function whenever I need the client's address:

function remote_addr() {
  $headers = apache_request_headers();
  if (array_key_exists('X-Forwarded-For', $headers)){
    return $headers['X-Forwarded-For'] . ' via ' . $_SERVER["REMOTE_ADDR"];
  } else {
    return $_SERVER["REMOTE_ADDR"];
  }
}

The function remote_addr() will return a string such as "10.0.1.1, 192.168.1.3 via 212.1.2.17" indicating that the browser (or web client) was on 10.0.1.1, that it passed via a proxy on 192.168.1.3 and another at 212.1.2.17 before finally hitting my web server. Knowing which client behind a HTTP proxy actually used your web service, could be a life-saver. Think: fraud from within a large organization that hides behind a single proxy. Bear in mind though, that the X-Forwarded-For header is no proof, as it can easily be faked.

Flattr this
Internet, Software, and Apache :: 08 Feb 2006 :: e-mail

Comments

blog comments powered by Disqus