Home > Backend Development > PHP Tutorial > Can we really limit the user IP on the web server side of the website?

Can we really limit the user IP on the web server side of the website?

WBOY
Release: 2016-10-11 14:23:46
Original
944 people have browsed it

I just asked a question about nginx forwarding upstream and changing the forwarding source IP. Since the IP of the access request source can be changed at will, the IP we get on the web server cannot be completely trusted. So how should we restrict it? Is the user's real IP address, or is this path really not feasible?

Reply content:

I just asked a question about nginx forwarding upstream and changing the forwarding source IP. Since the IP of the access request source can be changed at will, the IP we get on the web server cannot be completely trusted. So how should we restrict it? Is the user's real IP address, or is this path really not feasible?

nginx was built by [you], or was it built by [banned users]?

HTTP_X_FORWARD_FOR can be forged, but REMOTE_ADDR cannot be changed.

If it is built by [Banned User]:
You can get the IP of the nginx server through $_SERVER["REMOTE_ADDR"] and block it directly.

If [you] built nginx:
Although the user's IP can be obtained through $_SERVER["HTTP_X_FORWARD_FOR"], it may be forged.

<code>proxy_set_header X-Forward-For $remote_addr</code>
Copy after login

The best way is to add private HTTP headers. When nginx forwards, add private http headers I don’t know what needs to be faked.

<code>proxy_set_header X-GAGAGA $remote_addr</code>
Copy after login

In addition, the HL system of the proxy platform currently used by Alibaba's WW is not strictly filtered by HTTP_X_FORWARD_FOR, so carefully constructed requests can be injected. . . (Now the new version has been fixed)


Regarding forgery, if you use Linux/Unix/OSX, the built-in curl can do it:

<code>curl abc.com/test.php -H "X-FORWARD-FOR:8.8.8.8"</code>
Copy after login

If you don’t filter, there happens to be a function to directly determine whether to blacklist through IP or record IP operation logs in the background:

<code>#想注入就注入
curl miaoqiyuan.cn/test.php -H "X-FORWARD-FOR:' or 'a'='a"
#想XSS就XSS
curl miaoqiyuan.cn/test.php -H "X-FORWARD-FOR:alert('a')"</code>
Copy after login

Can we really limit the user IP on the web server side of the website?

I came up with a plan. When configuring nginx, I can add proxy_set_header X-Forward-For $remote_addr configuration. Then $_SERVER["HTTP_X_FORWARD_FOR"] gets the user's real IP, and then restricts the IP in the program.

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template