Get the IP of the website the client is using to request the data
Question
I'm trying to only allow certain IPs to use a PHP resource, I've tried using the server referer, but I've sadly experienced that it can be easily spoofed, as its a client header and it can be easily modified.
I want the resource to be accessible from a website, but the IP from the client visiting the website is not the same IP from the one the website has. This means that the client shouldn't be able to access the resource directly via the browser or curl, but it should be allowed if done via a website.
I guess I can use some of these $server keys:
'HTTP_CLIENT_IP','HTTP_X_FORWARDED_FOR','HTTP_X_FORWARDED','HTTP_FORWARDED_FOR','HTTP_FORWARDED','REMOTE_ADDR'
But I have no idea which one to use in order to get the website IP to see if it matches with the expected and which one returns the IP of the client.
What I've tried, but doesnt work because it can be spoofed
public function getHost()
{
$url = parse_url($_SERVER['HTTP_REFERER']);
if ($url != null) {
return gethostbyname($url["host"]); // returns referer IP's
}
}
its clear the getHost() should return a key from the mentioned above, but I'm not sure which one.
Thank you in advance
1 answers
solution1
0 2020-05-21 12:25:25
Wanted to test if @deceze was right, so I did some testing
Left: local, Right: same host
left: local, right: cross-site
So, sadly, he is, there is no way to check that using $_server, and referer its not reliable, solution, perform js requests from your server directly and inject them as content, showing pre-rendered data
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.