Programs or scripts that wish to record the client’s IP address often resort
to extracting the value of the $REMOTE_ADDR
variable which is provided by
the Apache web server in the program’s environment. This variable only
contains the IP address of the “last hop”, though. If the client arrived over
one or more HTTP proxies, the value will not be correct. IMHO(In My Humble
Opinion) there is no foolproof method for determining the real address of the
client, but many proxies such as Squid and Pound add the client’s
address to an X-Forwarded-For
header. That then contains a list of IP
addresses the client has passed through. In PHP I don’t use
$_SERVER['REMOTE_ADDR']
, instead resorting to a small function whenever I
need the client’s address:
function remote_addr() {
$headers = apache_request_headers();
if (array_key_exists('X-Forwarded-For', $headers)){
return $headers['X-Forwarded-For'] . ' via ' . $_SERVER["REMOTE_ADDR"];
} else {
return $_SERVER["REMOTE_ADDR"];
}
}
The function remote_addr()
will return a string such as "10.0.1.1,
192.168.1.3 via 212.1.2.17"
indicating that the browser (or web client) was
on 10.0.1.1
, that it passed via a proxy on 192.168.1.3
and another at
212.1.2.17
before finally hitting my web server. Knowing which client behind
a HTTP proxy actually used your web service, could be a life-saver. Think:
fraud from within a large organization that hides behind a single proxy. Bear
in mind though, that the X-Forwarded-For
header is no proof, as it can
easily be faked.