stackoom
  简体   繁体   中英

What's the relation between load balancer and HTTP_X_FORWARDED_FOR?

 原文  2016-07-09 00:41:38       php/ security/ proxy/ ip

Question

Here is my understanding of the user's IP:

User's IP is REMOTE_ADDR . But if the user is using a proxy (like HotSpotSheild (HSS)) or a chain of proxies, then REMOTE_ADDR is the address of the proxy (not user's IP) , and the user's IP might be in the other headers like these:

  • HTTP_CLIENT_IP
  • HTTP_X_FORWARDED_FOR
  • HTTP_X_FORWARDED
  • HTTP_X_CLUSTER_CLIENT_IP
  • HTTP_FORWARDED_FOR
  • HTTP_FORWARDED
  • Or maybe none of them.

So when an user uses the proxy, then he is undetectable.

Question1: Always one of those headers (above) is full? And are the rest empty?

Question2: Is that a good idea that I store both REMOTE_ADDR and one of those header (which isn't empty) in different fields in the database? (I mean having two separated columns for the IP, not just one column)

Here is my understanding of a load balancer:

It is a reverse proxy server that you use when you're running a cluster of servers. Clients connect to the load balancer, and it forwards the connection to one of the actual servers.

Theory:

If you use a load balancer, use HTTP_X_FORWARDED_FOR as user's IP.

Question3 Why should I store bHTTP_X_FORWARDED_FOR as the user's IP when there is a load balancer? I mean what's bHTTP_X_FORWARDED_FOR to do with load balancer?

1 answers

solution1
 2 ACCPTED  2016-07-11 13:26:08

This is all about the notion of trust and specific implementation details.

If your system trusts the proxy server (eg in a reverse-proxy situation), then you can trust the IP it passes onto you in one of those HTTP headers.

If there is no reasons to trust the proxy server (eg a random internet proxy such as Hotspot Shield), then your system has no idea whether the IP passed to you is simply made up or not.

You could have a whitelist of servers you trust based on REMOTE_ADDR , and if you get a connection from one of those then you use the IP in the HTTP header instead (although probably best to log both for completeness). You may also wish to expand this so certain headers are trusted to be supplied by certain remote proxies, otherwise there may be a security flaw where a user supplies their own header as well that manages to pass through the proxy unscathed.

Always one of those headers (above) is full? And are the rest empty?

Depends on the proxy and its software implementation.

Is that a good idea that I store both REMOTE_ADDR and one of those header (which isn't empty) in different fields in the database? (I mean having two separated columns for the IP, not just one column)

Yes, there is no harm in storing both - they may be useful for any audit trails.

Why should I store bHTTP_X_FORWARDED_FOR as the user's IP when there is a load balancer? I mean what's bHTTP_X_FORWARDED_FOR to do with load balancer?

Because your load balancer should be a trusted proxy, therefore you should be able to trust the IP it provides to you.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use HTTP_X_FORWARDED_FOR properly? How to set http_x_forwarded_for to remote_addr HTTP_X_FORWARDED_FOR gives two part IP? PHP getenv HTTP_X_FORWARDED_FOR contain alphabet Add the Http_X_Forwarded_For header in a request in python HTTP_X_FORWARDED_FOR shows both ipv6 AND ipv4 Notice: Undefined index: HTTP_X_FORWARDED_FOR Error in Function Undefined index notice HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR I'm trying to pass HTTP_X_FORWARDED_FOR in header to php server but not getting its value in server Get User IP address in laravel with similar method to HTTP_X_FORWARDED_FOR
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM