堆栈内存溢出
  简体   繁体   English

如何识别HTTP请求是来自浏览器还是来自代理服务器(或服务器)?

[英]How to identify whether http request is from browser or from proxy server (or server)?

 原文  2011-08-22 05:19:51       security/ proxy/ httprequest/ reverse-proxy

问题描述

I have a server that takes http request and return json data. 我有一台接受http请求并返回json数据的服务器。 How does my server know if the http request is from a client browser and not from a server? 我的服务器如何知道http请求是否来自客户端浏览器而不是来自服务器? especially if traffic may proxy from a client to another server and make a call to my server. 特别是如果流量可能从客户端代理到另一台服务器并致电我的服务器。

I know i can check the http header to know user-agent, remote-addr..etc but it is not secure. 我知道我可以检查http标头以了解用户代理,remote-addr..etc,但这并不安全。 People can fake the http request header. 人们可以伪造http请求标头。

What other tricks I can do to identify the incoming request? 我还能采取什么其他技巧来识别传入的请求?

2 个解决方案

解决方案1
 1 已采纳  2011-08-22 15:01:26

There is no way for you to know. 您没有办法知道。 "Anonymous proxies" will not have the X-Forwarded-For header. “匿名代理”将没有X-Forwarded-For标头。 Some IRC servers will port scan clients as they connect looking for common proxy server ports like 8080, 3128, ect. 一些IRC服务器在连接时会扫描客户端,以寻找常见的代理服务器端口,例如8080、3128等。 You could hack up a tool like YAPH to look for proxies on people connecting to you. 您可以破解YAPH之类的工具来查找与您联系的人的代理。 But it won't pick up phpproxy , or proxies running on strange ports. 但是它不会选择phpproxy或在奇怪端口上运行的代理。

This is an up hill battle, and its why hackers use them. 这是一场艰苦的战斗,这也是黑客使用它们的原因。 If this is a problem, perhaps you should reevaluate your business model or how your application functions. 如果这是一个问题,也许您应该重新评估您的业务模型或应用程序如何运行。

解决方案2
 0  2011-08-22 05:40:56

If you're able to check for headers, you'll be able to see X-Forwarded-For, which will tell you the ip of the "real" request. 如果您能够检查标头,则可以看到X-Forwarded-For,它将告诉您“真实”请求的ip。 Legitimate proxies utilize this header. 合法代理使用此标头。

For browsers, User-Agent header is what you'll be interested in. Popular browsers and crawlers will utilize this header. 对于浏览器,您将感兴趣的是User-Agent标头。流行的浏览器和搜寻器将利用此标头。

That said, those headers can be faked or omitted. 也就是说,这些标头可以伪造或省略。 There is no single way to determine the "real" factor of incoming requests. 没有任何一种方法可以确定传入请求的“实际”因素。 It's best to incorporate as many headers, patterns and behaviors to determine legitimacy of a request. 最好合并尽可能多的标头,模式和行为,以确定请求的合法性。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 服务器如何识别除IP地址之外的nodejs客户端(无浏览器)? - How can a server identify a nodejs client (no browser) apart from its IP address? 如何避免从代理服务器和代理工具(如提琴手)进行API跟踪 - How to avoid the API tracing from proxy server and Proxy tools such as fiddler 如何保护从Android到HTTP服务器的数据包 - How to secure packets from android to http server 如何限制 Apache 服务器仅接受来自美国城市或州的 HTTP 请求? - How to limit an Apache server to only accept HTTP request from a city OR state in USA? 从Web服务器识别Android用户帐户 - Identify Android user account from web server 如何防止网站上的服务器重复请求 - How to prevent repeated request from a server on website 从服务器禁用浏览器功能 - Disable browser features from the server 在服务器端的客户端浏览器中识别内容更改 - Identify content change in client browser on server side 从iPhone向服务器的安全请求 - Secure request from iPhone to Server 如何防止服务器的响应直接在浏览器中显示? - How to prevent response from server directly display in browser?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM