在Heroku上获取客户的真实IP地址 [英] Get client's real IP address on Heroku
问题描述
ENV ['REMOTE_ADDR']
当然这不起作用,因为所有的请求都是通过代理传递的。因此,替代方案是使用:
ENV ['HTTP_X_FORWARDED_FOR']
但这不是很安全,是吗?
如果它只包含一个值,这个。如果它包含多个值(逗号分隔),我可以拿第一个。
但是如果有人操纵这个值呢?我不能相信 ENV ['HTTP_X_FORWARDED_FOR'] ,因为我可以使用 ENV ['REMOTE_ADDR'] 。并没有我可以使用的可信任代理列表。
但是必须有一些方法来可靠地获取客户端的IP地址,总是。你知道吗?
在他们的文档,Heroku描述了 X-Forwarded-For 是连接到Heroku路由器的客户端的始发IP地址。
听起来好像Heroku可以覆盖原始远程IP的 X-Forwarded-For 。这可以防止欺骗,对吧?有人可以证实这一点吗?
路由器不覆盖
X-Forwarded-For,但它确实保证真正的原点始终是 last 项目。
这意味着,如果您以正常方式访问Heroku应用程序,您只会在 X-Forwarded-For 标头中看到您的IP地址:
$ curl http://httpbin.org/ip
{
origin:123.124.125.126,
}
如果您试图欺骗IP,您所指称的 被反映,但是 - 严格地说 - 您的真实IP也是如此。显然,这是我们所需要的,所以在Heroku上获得客户端IP地址有一个明确而安全的解决方案:
$ curl -HX-Forwarded-For:8.8.8.8http://httpbin.org/ip
{
origin:8.8.8.8,123.124.125.126
}
PHP实现:
$ b
function getIpAddress(){
if(isset($ _ SERVER ['HTTP_X_FORWARDED_FOR'])){
$ ipAddresses = explode(',',$ _SERVER ['HTTP_X_FORWARDED_FOR']);
return trim(end($ ipAddresses));
}
else {
return $ _SERVER ['REMOTE_ADDR'];
}
}
On Heroku Cedar, I wanted to get the client's IP. First attempt:
ENV['REMOTE_ADDR']
This does not work, of course, because all requests are passed through proxies. So the alternative was to use:
ENV['HTTP_X_FORWARDED_FOR']
But this is not quite safe, is it?
If it contains only one value, I take this. If it contains more than one value (comma-separated), I could take the first one.
But what if someone manipulates this value? I cannot trust ENV['HTTP_X_FORWARDED_FOR'] as I could with ENV['REMOTE_ADDR']. And there is no list of trusted proxies that I could use, either.
But there must be some way to reliably get the client's IP address, always. Do you know one?
In their docs, Heroku describes that X-Forwarded-For is "the originating IP address of the client connecting to the Heroku router".
This sounds as if Heroku could be overwriting the X-Forwarded-For with the originating remote IP. This would prevent spoofing, right? Can someone verify this?
From Jacob, Heroku's Director of Security at the time:
The router doesn't overwrite
X-Forwarded-For, but it does guarantee that the real origin will always be the last item in the list.
This means that, if you access a Heroku app in the normal way, you will just see your IP address in the X-Forwarded-For header:
$ curl http://httpbin.org/ip
{
"origin": "123.124.125.126",
}
If you try to spoof the IP, your alleged origin is reflected, but - critically - so is your real IP. Obviously, this is all we need, so there's a clear and secure solution for getting the client's IP address on Heroku:
$ curl -H"X-Forwarded-For: 8.8.8.8" http://httpbin.org/ip
{
"origin": "8.8.8.8, 123.124.125.126"
}
This is just the opposite of what is described on Wikipedia, by the way.
PHP implementation:
function getIpAddress() {
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ipAddresses = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
return trim(end($ipAddresses));
}
else {
return $_SERVER['REMOTE_ADDR'];
}
}
这篇关于在Heroku上获取客户的真实IP地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
