Welcome Guest, Not a member yet? Register   Sign In
Getting real IP behind a Proxy
#11

(10-09-2017, 09:03 AM)InsiteFX Wrote: I found this not sure if it will help:

PHP Code:
if (isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
 
   $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];


That worked great, thank you very much, Turned it into a function and the IPs are coming out correctly. Now, If I only knew how to make this solved
Reply
#12

(10-09-2017, 11:45 AM)BradVH Wrote:
(10-09-2017, 09:03 AM)InsiteFX Wrote: I found this not sure if it will help:

PHP Code:
if (isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
 
   $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];


That worked great, thank you very much, Turned it into a function and the IPs are coming out correctly. Now, If I only knew how to make this solved

This is a forum board, not a ticketing system; you don't make it "solved".

Also, a key part of your original question was that you were looking for a "secure" solution. This is not secure.
Nothing but REMOTE_ADDR is secure, and even the people from Sucuri (you've misspelled them) will tell you that.

It will be secure as long as you are behind their proxy, but then inherently insecure whenever you are not. Read this: https://stackoverflow.com/a/44134766/468027

As a rule of thumb, if you need to write actual code for this - it's not secure. Every single solution that you find or get suggestions for that uses $_SERVER['something'] or requires you to change your code is insecure. Period. That is for one simple reason - code can be deployed anywhere, environments differ, and even if it works ok for you now, that will change.

The only safe solution is to do it at the HTTP server configuration level. There you can directly set the REMOTE_ADDR value that you'll later use in your PHP code, but it is specifically configured for the current environment, and won't introduce a flaw in another deployment where you're not behind a similar proxy (because you won't have that configuration by default there).
Reply
#13

(10-10-2017, 02:13 AM)Narf Wrote:
(10-09-2017, 11:45 AM)BradVH Wrote:
(10-09-2017, 09:03 AM)InsiteFX Wrote: I found this not sure if it will help:

PHP Code:
if (isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
 
   $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];


That worked great, thank you very much, Turned it into a function and the IPs are coming out correctly. Now, If I only knew how to make this solved

This is a forum board, not a ticketing system; you don't make it "solved".

Also, a key part of your original question was that you were looking for a "secure" solution. This is not secure.
Nothing but REMOTE_ADDR is secure, and even the people from Sucuri (you've misspelled them) will tell you that.

It will be secure as long as you are behind their proxy, but then inherently insecure whenever you are not. Read this: https://stackoverflow.com/a/44134766/468027

As a rule of thumb, if you need to write actual code for this - it's not secure. Every single solution that you find or get suggestions for that uses $_SERVER['something'] or requires you to change your code is insecure. Period. That is for one simple reason - code can be deployed anywhere, environments differ, and even if it works ok for you now, that will change.

The only safe solution is to do it at the HTTP server configuration level. There you can directly set the REMOTE_ADDR value that you'll later use in your PHP code, but it is specifically configured for the current environment, and won't introduce a flaw in another deployment where you're not behind a similar proxy (because you won't have that configuration by default there).
Thank you.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB