Backend Development
PHP Tutorial
Can we really limit the user IP on the web server side of the website?
Can we really limit the user IP on the web server side of the website?
I just asked a question about nginx forwarding upstream and changing the forwarding source IP. Since the IP of the access request source can be changed at will, the IP we get on the web server cannot be completely trusted. So how should we restrict it? Is the user's real IP address, or is this path really not feasible?
Reply content:
I just asked a question about nginx forwarding upstream and changing the forwarding source IP. Since the IP of the access request source can be changed at will, the IP we get on the web server cannot be completely trusted. So how should we restrict it? Is the user's real IP address, or is this path really not feasible?
nginx was built by [you], or was it built by [banned users]?
HTTP_X_FORWARD_FOR can be forged, but REMOTE_ADDR cannot be changed.
If it is built by [Banned User]:
You can get the IP of the nginx server through $_SERVER["REMOTE_ADDR"] and block it directly.
If [you] built nginx:
Although the user's IP can be obtained through $_SERVER["HTTP_X_FORWARD_FOR"], it may be forged.
<code>proxy_set_header X-Forward-For $remote_addr</code>
The best way is to add private HTTP headers. When nginx forwards, add private http headers I don’t know what needs to be faked.
<code>proxy_set_header X-GAGAGA $remote_addr</code>
In addition, the HL system of the proxy platform currently used by Alibaba's WW is not strictly filtered by HTTP_X_FORWARD_FOR, so carefully constructed requests can be injected. . . (Now the new version has been fixed)
Regarding forgery, if you use Linux/Unix/OSX, the built-in curl can do it:
<code>curl abc.com/test.php -H "X-FORWARD-FOR:8.8.8.8"</code>
If you don’t filter, there happens to be a function to directly determine whether to blacklist through IP or record IP operation logs in the background:
<code>#想注入就注入
curl miaoqiyuan.cn/test.php -H "X-FORWARD-FOR:' or 'a'='a"
#想XSS就XSS
curl miaoqiyuan.cn/test.php -H "X-FORWARD-FOR:alert('a')"</code>
I came up with a plan. When configuring nginx, I can add proxy_set_header X-Forward-For $remote_addr configuration. Then $_SERVER["HTTP_X_FORWARD_FOR"] gets the user's real IP, and then restricts the IP in the program.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1382
52
PHP: Handling Databases and Server-Side Logic
Apr 15, 2025 am 12:15 AM
PHP uses MySQLi and PDO extensions to interact in database operations and server-side logic processing, and processes server-side logic through functions such as session management. 1) Use MySQLi or PDO to connect to the database and execute SQL queries. 2) Handle HTTP requests and user status through session management and other functions. 3) Use transactions to ensure the atomicity of database operations. 4) Prevent SQL injection, use exception handling and closing connections for debugging. 5) Optimize performance through indexing and cache, write highly readable code and perform error handling.
PHP's Purpose: Building Dynamic Websites
Apr 15, 2025 am 12:18 AM
PHP is used to build dynamic websites, and its core functions include: 1. Generate dynamic content and generate web pages in real time by connecting with the database; 2. Process user interaction and form submissions, verify inputs and respond to operations; 3. Manage sessions and user authentication to provide a personalized experience; 4. Optimize performance and follow best practices to improve website efficiency and security.
How to check whether nginx is started
Apr 14, 2025 pm 01:03 PM
How to confirm whether Nginx is started: 1. Use the command line: systemctl status nginx (Linux/Unix), netstat -ano | findstr 80 (Windows); 2. Check whether port 80 is open; 3. Check the Nginx startup message in the system log; 4. Use third-party tools, such as Nagios, Zabbix, and Icinga.
PHP and Python: Code Examples and Comparison
Apr 15, 2025 am 12:07 AM
PHP and Python have their own advantages and disadvantages, and the choice depends on project needs and personal preferences. 1.PHP is suitable for rapid development and maintenance of large-scale web applications. 2. Python dominates the field of data science and machine learning.
How to configure nginx in Windows
Apr 14, 2025 pm 12:57 PM
How to configure Nginx in Windows? Install Nginx and create a virtual host configuration. Modify the main configuration file and include the virtual host configuration. Start or reload Nginx. Test the configuration and view the website. Selectively enable SSL and configure SSL certificates. Selectively set the firewall to allow port 80 and 443 traffic.
How to check whether nginx is started?
Apr 14, 2025 pm 12:48 PM
In Linux, use the following command to check whether Nginx is started: systemctl status nginx judges based on the command output: If "Active: active (running)" is displayed, Nginx is started. If "Active: inactive (dead)" is displayed, Nginx is stopped.
How to configure cloud server domain name in nginx
Apr 14, 2025 pm 12:18 PM
How to configure an Nginx domain name on a cloud server: Create an A record pointing to the public IP address of the cloud server. Add virtual host blocks in the Nginx configuration file, specifying the listening port, domain name, and website root directory. Restart Nginx to apply the changes. Access the domain name test configuration. Other notes: Install the SSL certificate to enable HTTPS, ensure that the firewall allows port 80 traffic, and wait for DNS resolution to take effect.
How to solve nginx304 error
Apr 14, 2025 pm 12:45 PM
Answer to the question: 304 Not Modified error indicates that the browser has cached the latest resource version of the client request. Solution: 1. Clear the browser cache; 2. Disable the browser cache; 3. Configure Nginx to allow client cache; 4. Check file permissions; 5. Check file hash; 6. Disable CDN or reverse proxy cache; 7. Restart Nginx.
