I'm using $_SERVER['REMOTE_ADDR']; to get the IP of the visitors. I don't care if they are behind a proxy, VPN, etc; I need a measure of IP that can't be manipulated by the end-user.
For some users, $_SERVER['REMOTE_ADDR']; is not returning the right IP -- it is returning one of Google's IPs instead, such as 64.233.173.164.
I confirmed this by asking one user to check their IP by checking here and their IP turned out to be different than what $_SERVER['REMOTE_ADDR']; showed.
How is that possible?
UPDATE: I've talked to the specific user in question and he said he is NOT using Google Translate. Why else would a Google IP show in REMOTE_ADDR?
I don't care if they are behind a proxy, VPN, etc;
You have to, if they are using a VPN, or a proxy, or NAT then $_SERVER['REMOTE_ADDR'] will contain that ip and not of the user, and that is what you're getting.
UPDATE: I've talked to the specific user in question and he said he is NOT using Google Translate. Why else would a Google IP show in REMOTE_ADDR?
That Google IP you have mentioned in your OP belongs to google-proxy-64-233-173-164.google.com which is the proxy that this visitor's computer or ISP is using
If you were to check HTTP_X_FORWARDED_FOR or HTTP_CLIENT_IP You would get that information
Related
I'm working on a API project that depends partialy from $_SERVER['REMOTE_ADDR'] (like 50%).
My API checks the IP of client first and then checks the token, and i want to know if should i worry about getting this IP from this global variable.
can the client some how "forge" this?
i know that VPN can camouflage the IP, but thats not a problem since he will not getting access anyway.
Due to the three way handshake of TCP/IP - $_SERVER['REMOTE_ADDR'] cannot be spoofed. There is (however) no guarantee that this is the IP address of the end user. He may be behind proxy or VPN. What you can guarantee with $_SERVER['REMOTE_ADDR'] is that the machine which is directly connected to you has this exact IP and it is real.
So why am I need my own ip by using get content? I want to use some tv channels which is m3u8 file and using m3u8?wmsAuthSign=code
wmsAuthSign code is changing everytime the page refresh it self and they are getting ip adrress inside of that code.
So i can't play the tv channel by my servers ip !
the code i gave down below is just an example :D
<?php
$myURL = "https://whatismyipaddress.com/ip-lookup";
$lines = file($myURL);
echo $lines[145];
?>
Is there any way that i can change it to my one ip adresse?
If you mean the client (browsers) IP:
That code is being executed on your server, so the machine fetching that URL is your server. The response then has your server's IP address.
If you want to get the IP address of the user that's accessing the server, you could use some of the $_SERVER variables (like $_SERVER['REMOTE_ADDR']) but due to the way the internet works, that may not be the user's IP address.
Your best bet there is to use javascript that runs on the user's browser to identify the user's IP address - though, since that is really under the user's control, you can't be certain it's accurate either.
If you mean you're getting the IP of a different server, not your web server: the method you're using only determines the IP address of the server acting as a gateway to the greater internet. If your web server is behind a firewall, you'll be getting the IP of the firewall. You may want to identify the web server's local IP address instead.
Because the server is executing the PHP code and is requesting the website, if you want to get the IP address of the current user see How to get the client IP address in PHP?
I need to get my users IP address'.
I found this article How to get Client Ip Address in Laravel 5.1?
The above mentioned article uses the Request::ip();
However, this method returns my servers IP address. From what I can understand from other sources, this happens when the site is localhost - but the site is hosted and is live on a server.
This site is live and online, but it might refer to localhost, as the site might be sitting on its own server (I dont have any experience in server config to know if this is true or not, just a guess).
When I connect to the DB Host, I do so using localhost referencing as well, and not something like mysql.phpmyadmin.hosting.com as DB Host. Therefore, my guess is, that the Request::ip(); returns the server ip, because the site somehow is sitting localhost.
However, if I use $_SERVER['HTTP_X_FORWARDED_FOR']; I get the correct IP address.
Now to my final question: Is this safe to use? Is there another way to use a Laravel function to make this request?
From what I can understand, the $_SERVER['HTTP_X_FORWARDED_FOR']; can have security holes, according to How to get the client IP address in PHP?.
Can I use $_SERVER['HTTP_X_FORWARDED_FOR']; safely without worrying? If not, what other way could I go, to get the users IP address safely?
The risk with X-Forwarded-For is that a user could create the header themselves, and thus pass along any IP they wish.
The solution is to only trust the header when REMOTE_ADDR is that of your trusted proxy. There's a Laravel package that lets you enforce this restriction.
I have website and have one page for receiving some news (newly registered users, activity, etc.) and is restricted for everyone except for my IP (Page for only me to view).
I'm interested if there is a way that someone else can "fake" my IP and view this file?
P.S. I am aware of other ways of doing this.
Usually, you dont get fixed IPs, most provider give dynamic IPs. So if you restart your Router, your IP will change and make it impossible to access the page again. If you get a fixed IP, it should work. He can ofc. modify the IP, but then he wont get the response back.
Converting my comments to an answer.
It depends on how you are trying to get the client's IP address. If you are:
only using $_SERVER['REMOTE_ADDR'] to get the ip address
don't have a shared ip address
don't use a (shared) proxy
You should be just fine, because a possible attacker can technically spoof the ip address, but that would not work because, (as Andrey) rightfully pointed out to me the tcp handshake would simply fail.
Some caveats:
Your IP may change at some point effectively locking yourself out.
When you are behind a proxy / internal -> external router / vpn / otherwise shared ip other people in the same network might also have access
Never ever ever use $_SERVER['HTTP_X_FORWARDED_FOR '] because this can be spoofed easily.
Is there any alternative to the $_SERVER['REMOTE_ADDR']. Which returns the ip address of the computer accessing a site.
I'm trying to search about same external ip assigned by router, and got into this:
How do two computers connect to same external address through NAT?
And found out that the same external ip is assigned if the computers are connected to the same modem.
I'm creating a simple login program in php which uses $_SERVER['REMOTE_ADDR'] to determine if a user is already logged in somewhere else in the same network. And this won't actually work if those computers are connected to the same modem through the router.
No, this is the best you can do. The server only knows where the request is coming from, and that may be a proxy or a NAT router or some other entity which is not the direct enduser. There's nothing you can do about that, that's how networks work.
The solution is simple: Don't use IPs to identify users. Ever. Use cookies.
Using a more traditional cookie based login solves this. The browser identifies the user by providing a unique token. Ip, as you have discovered, is not unique.