How to Use Http_X_Forwarded_For Properly

What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR?

Neither of these headers are officially standardised. Therefore:

1. What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR? - it is impossible to say. Different proxies may implement these, or may not. The implementations may vary from one proxy to the next, and they may not. A lack of a standard breeds question marks.
2. Why would one have different values than the other? - See point 1. However, from a purely practical point of view, the only reason I can see for these having different values is if more than one proxy was involved - the X-Forwarded-For: header might then contain a complete track of the forwarding chain, whereas the Client-IP: header would contain the actual client IP. This is pure speculation, however.
3. Where can I find resources on the exact definition of these headers. - You can't. See point 1.

There does seem to be some kind of de-facto standard regarding the X-Forwarded-For: header, but given that there is no RFC that defines it this cannot be relied upon see comment below.

As a side note, the Client-IP: header should by convention be X-Client-IP: since it is a 'user-defined' header.

HTTP_X_FORWARDED_FOR gives two part IP?

X-Forwarded-For header contains a list of IPs with comma separating them. Each time the request goes through a proxy the IP address of the machine sending it to the proxy is supposed to be appended to the header list.

In your case it appears the second IP address has been truncated. Probably by your load balancer or web server assuming it contained only one IP and had a certain short maximum length.

NOTE: There may have been more than 2 IPs in the original and the client could have forged some or all the first part that you see. So you really need that bug to get fixed.

Why HTTP_X_FORWARDED_FOR shows some ip address in my server

X-Forwarded-For is typically inserted for a number of reasons.

1. If your server is behind a reverse proxy, it's common for that reverse proxy to insert X-Forwarded-For in order to identify the original client IP to the back end server.

2. If the client is behind a corporate proxy (common), that proxy may be inserting X-Forwarded-For due to any number of reasons. It's typically frowned upon, since it effectively leaks internal IP addresses, but it commonly happens if there are several chained proxies in use at the site.

3. If the client is behind an open proxy hosted on the internet that proxy may be inserting the header.

Proxies should also be adding the Via header, but they commonly don't.

$_SERVER['REMOTE_ADDR'] not giving the right ip address

<input type="hidden" name="ip" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>" />

Don't do that. Get the request from $_SERVER when the form is submitted. Getting it when the form is generated and storing it in the form just gives people the opportunity to change it.

Does this IP address normally happen when I use it in a localhost (XAMPP)?

Yes. Getting the local IP (IPv6) address is normal when you request a page from localhost.

---

Related Topics