i'm using opencart on a virtual host with a dedicated ip. bank allows virtual pos queries only from dedicated ip, but server ip is used by php to communicate with bank's api. is there any way to force php to use that dedicated ip?
ps: there is a in-code solution, however i prefer more general solution like as php.ini edits.
The proper way is to bind() your connecting socket to the IP address of the interface you wish to use. This will guarantee the behavior you want. (You can set the port number to zero to have the OS choose one.)
You can also make the OS pick the interface appropriately. In fact, I'm surprised it is not. You didn't list any specific IP addresses, interface configurations, or a routing table, but if we assume your private IP is 172.16.0.222 and the bank's IP address is 172.16.0.11, then opening a connecting socket to 172.16.0.11 should use your local private IP address. If it's choosing your public address, then the OS thinks it has a route from that address to the destination. Make sure that is not the case and your problem should be fixed.
Related
I am running into an issue in relation to security and verification. I have a software that checks to confirm a user, and I need to make sure it's the same client sending a PHP request and a node server request. However, on the node server, the client's IP is shown in IPv4, and on the PHP it is shown in IPv6. Is there any way I can get the same output somewhere, for example extract the IPv6 on the node server, or the IPv4 on the PHP server? Thanks.
Obtaining the same IP or verifying that it is the same client despite a "different" IPv4 and IPv6
The problem is that IPv6 and IPv4 are not coupled in any way. There's no way to deduce a v6 address from the v4 address or the other way around.
In my humble opionion, verifying users by their IP addresses is something you should avoid as IP addresses are spoofable, and the practice leads to these kind of issues. That said, there are a couple of "solutions".
Disable IPv6 on the webserver that's hosting the PHP application. Since you haven't mentioned which type of webserver this is, you should be able to google something like 'disable ipv6 apache' on how to achieve this. This should garantuee an identical IPv4 address on both servers. I personally don't particularly like this solution as it hinders IPv6 adoption.
Enable IPv6 on the node server. Please note that clients can still prefer IPv4 over IPv6 for any reason at all and there's no way to garantuee that it will use IPv6 to both webservers.
You could proxy all calls from one webserver to the other and pass the original IP in for example an 'X-Forwarded-For' header. This will introduce some overhead, but the source IP will be stabler.
Personally, I'd shy away from using the IP address and implement some sort of token stored on the client that can be verified on both servers by means of a shared database if that is an option.
I want to get the Client Ip with PHP.I allready known that i can get the Ip with $_SERVER['REMOTE_ADDR'];. But when i post this value in an Database or remember this IP, next day the client adresse is something else and not the same which yesterday.
I allready tried to work with $_SERVER['REMOTE_ADDR']; but the Ip change every day
Yes, IPs change. That’s the nature of most residential internet connections. Only a comparatively small number of connections have static IPs. IP addresses are an implementation detail of a data routing mechanism, they’re not permanent or unique identifiers.
The person controlling the HTTP client would need to run it through an Internet connection with a static IP address. To get one they would need to either use an Internet Service Provider that provides static IP addresses by default or one which provides them as an optional extra (and then take that option).
Then they would have to ensure they didn't use a different Internet connection to make a request in the future (e.g. by using their laptop in a coffee shop instead of at home, or connecting from their phone while connected via cellular broadband).
They could also use a proxy server that was connected using a static ip. The requests would be relayed via the proxy and that its IP address would be used to connect to the server running the PHP.
Actually I make my first steps on sockets, with PHP, locally.
In my hosts, I have a virtual domain named chat.dev.com.
I have seen a lot of examples by IP... but is it possible to call a specific local subdomain, please, rather than my 127.0.0.1?
Sockets are identified by a combination of an IP address and a port. In order to try to connect to a DNS, as you seem to imply, you first need to make a DNS lookup for that specific host, get its associated IP address and then connect.
Php has a function for this, please look at http://php.net/manual/en/function.dns-get-record.php
Is there a safe way, to identify a device which might be behind a Router (so the IP is not unique) in PHP?
Background: I have several embedded devices (self programmed & adaptable) which contact a webserver (php+mysql) with status updates. These updates are then - if the source is confirmed - saved to the database.
As I understand it $_SERVER['REMOTE_ADDR'] usually can be trusted (except some IIS configuration where it may - under special circumstances - wrongfully return 127.0.0.1; but different story)
Anyhow since I use SSL, the IP address really should not be a problem, because there a handshake is required and if the IP is faked or simply wrong, the connection should not be established
For now I require IP addresses to be whitelisted by admin, for an status update to be acceppted
The device additionally sends the MAC address via $_POST to identify the different modules with identical IP address (I know this can very easily be forged, and right now will be trusted if the IP address is trusted)
So first of all I am not sure if the IP address in itself is enough for it to be safe from attacks from the outside
Secondly if the device is behind a router, it will have the same IP address as every PC/device on that network. So about anyone there could forge a status update with a fake MAC address (simply as post variable), and since the IP address is whitelisted it will be trusted
So is there any way of confirming the identity of a device, or do you know a better way of doing this?
Aside: Going the other way, and have the webserver poll the different devices might be an option, but since there might be many (> 2000) devices of which we need the very last status (change) I thought it to be inefficient.
IP addresses can be spoofed, MAC addresses can be forged, so theses methods are not sufficient. The general approach is to assign a key to each client device (possibly the same key to all devices, even if this probably a bad idea). The "key" can be anything from a predefined string (weak, think username/password) to a signed certificate (strong, think SSL).
Both can be implemented either at the application level (by PHP) or at server level. If your application runs on Apache httpd server, I would rather recommend using its built-in features as it supports both approaches.
I have an existing php web application, I'm on IPv4, how can I fake IPv6 address to test the application compatibility with it? or is there a better way to test IPv6 compatibility?
Update:
My application log the ip of the user when he's making certain actions. The IP addresses are stored in the database (from another question I can understand that BINARY is the best column type). The application should also be possible to search by IP.
I want apache / php to work as if I were using IPv6, I need to be sure my application compatibility with IPv6 is ready for production on both IPv4 networks + IPv6 networks.
I agree with Topener; don't worry about it, your website will run fine with IPv6.
You don't need to worry about apache or PHP either, they will run fine.
You should only care about storing IPv6 addresses in a database etc.
Make sure you can store them in a proper way and that your database can handle an IPv6 address.
You can simply change $_SERVER['REMOTE_ADDR'] to an IPv6 address:
echo $_SERVER['REMOTE_ADDR']; // will give you your current IP (probaply IPv4)
// change the REMOTE_ADDR to an IPv6 address
$_SERVER['REMOTE_ADDR'] = '3ffe:6a88:85a3:08d3:1319:8a2e:0370:7344';
You can find additional information about storing IPv6 addresses into a database here:
How to store IPv6-compatible address in a relational database
Your website will run fine with IPv6. The only thing you need to test is, if you are storing IPv6, or logging of some kind, you should store it properly. To fake this, just enter some variable and put it to the database, or whatever you want to do with it.
An example: 2001:db8::1:0:0:1 and 2001:0DB8:0:0:1::1 and fe80::202:b3ff:fe1e:8329
Otherwise, don't worry about it!
If your application logs IP addresses then make sure that the fields to store them are big enough. Make sure that any application that processes those logs knows how to deal with IPv6 addresses. If you need to search for addresses by block/range you should use appropriate storage types for that. If you do access control based on IP address then it becomes a bit more difficult because IPv6 clients might change their source address often when they have privacy extensions enabled, so you might want to allow access per /64 instead of per separate address.
And most important: test, test, test :-)
Also note that for comparing IPv6 adresses, string comparison is not enough. There are different representations of the same IP adress, for example 2001:0DB8:0:0:1::1 is the short form of 2001:0db8:0000:0000:0001:0000:0000:0001.