Friday, April 22, 2016

How to get LAN IP when there is a reverse proxy server

In case of IPv4 most client addresses are masked behind NAT, on your server side you ONLY see the globally routable address which is the router's own global address.
In case of IPv6 the local address for all intents and purposes will be the same as the global one, so you'll find that in $_SERVER['REMOTE_ADDR'].
That being said, I'd also like to caution you against using the X-Forwarded-For header for ANYTHING unless it comes from a trusted source (e.g. your own reverse proxy). The client can set this header to an arbitrary value and can cause some funny or even dangerous bugs to be triggered.
On a practical note I'd like to add that using the IP address to limit how many times one can vote is a somewhat broken practice since I rent at the moment a block of 16 IP addresses and I know people who can get their hands on a full C-sized block (255 addresses) and you'll be blocking lots of people behind provider NAT's and such. In case of IPv6 everyone will have billions of addresses anyway, so the whole concept of IP blocking will be a lot more broken.
I recommend you tie the voting to something a bit more stable like phone number or e-mail registration if possible.


No comments: