問題:
I know there are a plethora of $_SERVER variables headers available for IP address retrieval.我知道有大量的$_SERVER變量標頭可用於 IP 地址檢索。 I was wondering if there is a general consensus as to how to most accurately retrieve a user's real IP address (well knowing no method is perfect) using said variables?我想知道關於如何使用上述變量最準確地檢索用戶的真實 IP 地址(衆所周知沒有完美的方法)是否存在普遍共識?
I spent some time trying to find an in depth solution and came up with the following code based on a number of sources.我花了一些時間試圖找到一個深入的解決方案,並根據許多來源提出了以下代碼。 I would love it if somebody could please poke holes in the answer or shed some light on something perhaps more accurate.如果有人可以在答案中戳破洞或闡明一些可能更準確的內容,我會很高興。
edit includes optimizations from @Alix編輯包括來自@Alix 的優化
/**
* Retrieves the best guess of the client's actual IP address.
* Takes into account numerous HTTP proxy headers due to variations
* in how different ISPs handle IP addresses in headers between hops.
*/
public function get_ip_address() {
// Check for shared internet/ISP IP
if (!empty($_SERVER['HTTP_CLIENT_IP']) && $this->validate_ip($_SERVER['HTTP_CLIENT_IP']))
return $_SERVER['HTTP_CLIENT_IP'];
// Check for IPs passing through proxies
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
// Check if multiple IP addresses exist in var
$iplist = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
foreach ($iplist as $ip) {
if ($this->validate_ip($ip))
return $ip;
}
}
}
if (!empty($_SERVER['HTTP_X_FORWARDED']) && $this->validate_ip($_SERVER['HTTP_X_FORWARDED']))
return $_SERVER['HTTP_X_FORWARDED'];
if (!empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']) && $this->validate_ip($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']))
return $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
if (!empty($_SERVER['HTTP_FORWARDED_FOR']) && $this->validate_ip($_SERVER['HTTP_FORWARDED_FOR']))
return $_SERVER['HTTP_FORWARDED_FOR'];
if (!empty($_SERVER['HTTP_FORWARDED']) && $this->validate_ip($_SERVER['HTTP_FORWARDED']))
return $_SERVER['HTTP_FORWARDED'];
// Return unreliable IP address since all else failed
return $_SERVER['REMOTE_ADDR'];
}
/**
* Ensures an IP address is both a valid IP address and does not fall within
* a private network range.
*
* @access public
* @param string $ip
*/
public function validate_ip($ip) {
if (filter_var($ip, FILTER_VALIDATE_IP,
FILTER_FLAG_IPV4 |
FILTER_FLAG_IPV6 |
FILTER_FLAG_NO_PRIV_RANGE |
FILTER_FLAG_NO_RES_RANGE) === false)
return false;
self::$ip = $ip;
return true;
}
Words of Warning (update)警告的話(更新)
REMOTE_ADDR still represents the most reliable source of an IP address. REMOTE_ADDR仍然代表最可靠的 IP 地址來源。 The other $_SERVER variables mentioned here can be spoofed by a remote client very easily.此處提到的其他$_SERVER變量很容易被遠程客戶端欺騙。 The purpose of this solution is to attempt to determine the IP address of a client sitting behind a proxy.此解決方案的目的是嘗試確定位於代理後面的客戶端的 IP 地址。 For your general purposes, you might consider using this in combination with the IP address returned directly from $_SERVER['REMOTE_ADDR'] and storing both.出於一般目的,您可以考慮將其與直接從$_SERVER['REMOTE_ADDR']返回的 IP 地址結合使用,並同時存儲兩者。
For 99.9% of users this solution will suit your needs perfectly.對於 99.9% 的用戶,此解決方案將完美滿足您的需求。 It will not protect you from the 0.1% of malicious users looking to abuse your system by injecting their own request headers.它不會保護您免受 0.1% 的惡意用戶的侵害,他們希望通過注入自己的請求標頭來濫用您的系統。 If relying on IP addresses for something mission critical, resort to REMOTE_ADDR and don't bother catering to those behind a proxy.如果依賴 IP 地址來執行關鍵任務,請使用REMOTE_ADDR並且不要費心迎合代理背後的人。
解決方案:
參考一: https://en.stackoom.com/question/6rHS參考二: https://stackoom.com/question/6rHS