我们可以用php cURL欺骗$ _SERVER ['REMOTE_ADDR'] / user ip吗? [英] Can we spoof $_SERVER['REMOTE_ADDR'] / user ip with php cURL?
问题描述
这个标题基本上是说的。
Well the title basically says it.
但是更多信息。 。
此方法可行。 。
$ip = '1.1.1.1';
curl_setopt($handle, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $ip", "X_FORWARDED_FOR: $ip"));
它只添加这两个键 $ _ SERVER 数组
-
HTTP_REMOTE_ADDR -
HTTP_X_FORWARDED_FOR
HTTP_REMOTE_ADDRHTTP_X_FORWARDED_FOR
REMOTE_ADDR 仍然保持不变。
可以 REMOTE_ADDR 改变? 此处的答案表示否。但是注释也说但是,它可能不是用户的真实IP地址,因为它可能被代理和其他方法隐藏。这就是为什么一般规则是不依赖 $ _ SERVER ['REMOTE_ADDR'] 作为安全功能。
Can REMOTE_ADDR be changed? The answer here says NO. But a comment also says It may, however, NOT be the user's real IP address because it may be hidden by proxies and other methods. That is why the general rule is to not depend on $_SERVER['REMOTE_ADDR'] for a security feature.
所有这一切都有一个curl php方法也隐藏/屏蔽/更改ip? (除了上述代码之外的任何其他PHP方法)。
With all that aside is there a curl php method to also hide/mask/change the ip? (any other php method aside from the above code would do.)
AND
是否有一种方法可以阻止方法或是否有方法可以获取用户的 ACTUAL REAL IP ?
Is there a way for countering the method OR Is there a way to get the ACTUAL REAL IP of a user?
干杯!
推荐答案
不。 REMOTE_ADDR'] 是客户端用于连接到Web服务器的实际物理IP地址,由三向TCP握手确认。没有办法通过设置简单的HTTP头来伪造这个。你也不能让web服务器/ PHP用任何方式用别的东西覆盖这个值。 $ _ SERVER ['REMOTE_ADDR'] 是从TCP连接信息,期间设置的。
No. $_SERVER['REMOTE_ADDR'] is the actual physical IP address the client used to connect to the webserver, as confirmed by a three-way TCP handshake. There's no way to fake this by setting simple HTTP headers. You also cannot make the webserver/PHP overwrite this value with something else in any way. $_SERVER['REMOTE_ADDR'] is set from TCP connection information, period.
实际欺骗IP地址,你必须更深入到实际的网络层,并有一定程度的控制网络设备/人在中间位置/代理/实际上不能建立一个TCP连接从一个IP地址,重新建立它。
To actually spoof an IP address, you have to go much deeper into the actual network layer and have some level of control over network equipment/man in the middle positions/proxies/whatnot to actually be able to establish a TCP connection from an IP address other than the one you're establishing it from.
有没有办法反对方法或者有办法获得用户的ACTUAL REAL IP吗?
Is there a way for countering the method OR Is there a way to get the ACTUAL REAL IP of a user?
否。 用户的实际IP地址是您的Web服务器从其接收连接的地址,期间。没有其他地址。客户端从某个IP连接到您的服务器,这通过三路TCP握手确认,这是您为此客户端知道的唯一地址。此客户端可能是代理或NAT路由器(即代理)或其他,你根本不知道,也不会对你造成任何影响。
No. "The actual IP address of the user" is the address your webserver received the connection from, period. There is no other address for you. The client connects to your server from a certain IP, this is confirmed with a three-way TCP handshake, that's the only address you know for this client. This client may be a proxy or a NAT router (i.e. a proxy) or something else, you simply do not know and neither should it make any difference to you.
这篇关于我们可以用php cURL欺骗$ _SERVER ['REMOTE_ADDR'] / user ip吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
