Programs or scripts that wish to record the client’s IP address often resort to extracting the value of the $REMOTE_ADDR variable which is provided by the Apache web server in the program’s environment. This variable only contains the IP address of the “last hop”, though. If the client arrived over one or more HTTP proxies, the value will not be correct. IMHO(In My Humble Opinion) there is no foolproof method for determining the real address of the client, but many proxies such as Squid and Pound add the client’s address to an X-Forwarded-For header. That then contains a list of IP addresses the client has passed through. In PHP I don’t use $_SERVER['REMOTE_ADDR'], instead resorting to a small function whenever I need the client’s address:

function remote_addr() {
  $headers = apache_request_headers();
  if (array_key_exists('X-Forwarded-For', $headers)){
    return $headers['X-Forwarded-For'] . ' via ' . $_SERVER["REMOTE_ADDR"];
  } else {
    return $_SERVER["REMOTE_ADDR"];

The function remote_addr() will return a string such as ", via" indicating that the browser (or web client) was on, that it passed via a proxy on and another at before finally hitting my web server. Knowing which client behind a HTTP proxy actually used your web service, could be a life-saver. Think: fraud from within a large organization that hides behind a single proxy. Bear in mind though, that the X-Forwarded-For header is no proof, as it can easily be faked.

Internet, Software, and Apache :: 08 Feb 2006 :: e-mail