Analysis and implementation code of five cases of obtaining real IP address of client by PHP

$_SERVER ["REMOTE_ADDR"] is commonly used in PHP fetching client IP.
(1) However, if the client is accessed using a proxy server, the IP address of the proxy server is obtained instead of the real IP address of the client. To get the client's real IP address through the proxy server, use $_SERVER ["HTTP_X_FORWARDED_FOR"] to read it.
(2) But the value of $_SERVER ["HTTP_X_FORWARDED_FOR"] is the client's true IP only if the client uses a "transparent proxy" (if it is a multi-tier proxy, the value may consist of the client's true IP and the IP of multiple proxy servers, separated by commas ",").
(3) In the case of "anonymous proxy" and "fraudulent proxy", it is the IP value of proxy server (if it is a multi-tier proxy, the value may be composed of IP of multiple proxy servers, separated by commas ",").
(4) Null in the case of "highly anonymous proxy."

With regard to the values of REMOTE_ADDR and HTTP_FORWARDED_FOR in the HTTP header information, the analysis is as follows, assuming that the real IP of the client is 221.5. 252.160:

1. PHP without proxy server to get client IP case:

REMOTE_ADDR = 221.5.252.160

HTTP_VIA= No numeric value or no display 

HTTP_X_FORWARDED_FOR =  No numeric value or not displayed 

2. Using a transparent proxy server: Transparent Proxies

REMOTE_ADDR =  Finally 1 Proxy servers  IP

HTTP_VIA= Proxy server IP

HTTP_X_FORWARDED_FOR =  Client-side reality  IP  (This value is similar when passing through multiple proxy servers: 221.5.252.160, 203.98.182.163, 203.129.72.215 ) 

This kind of proxy server still sends the real IP of the client to the access object, which cannot achieve the purpose of hiding the real identity.

3. Use the PHP of a common anonymous proxy server to get the client IP situation: Anonymous Proxies

REMOTE_ADDR =  Finally 1 Proxy servers  IP

HTTP_VIA= Proxy server IP

HTTP_X_FORWARDED_FOR =  Proxy server  IP  (This value is similar when passing through multiple proxy servers: 203.98.182.163, 203.98.182.163, 203.129.72.215 ) 

In this case, the client's real IP is hidden, but it is revealed to the accessing object that the client is accessing them using a proxy server.

4. Using a fraudulent proxy server: Distorting Proxies

REMOTE_ADDR =  Proxy server  IP

HTTP_VIA= Proxy server IP

 HTTP_X_FORWARDED_FOR =  Random  IP (This value is similar when passing through multiple proxy servers: 220.4.251.159, 203.98.182.163, 203.129.72.215 ) 

In this case, it is also revealed that the client uses a proxy server, but fabricates a fake random IP (220.4. 251.159) instead of the real IP of the client to deceive it.

5. Use PHP of the highly anonymous proxy server to get the client IP situation: High Anonymity Proxies (Elite proxies)

REMOTE_ADDR =  Proxy server  IP
HTTP_VIA= No numeric value or no display 

 HTTP_X_FORWARDED_FOR =  No numeric value or no display. 

Whether it is REMOTE_ADDR or HTTP_FORWARDED_FOR, these header messages may not be available, because different browsers and different network devices may send different IP header messages. So PHP uses $_SERVER ["REMOTE_ADDR"], $_SERVER ["HTTP_X_FORWARDED_FOR"] to get either a null value or an "unknown" value.

Another point to note when PHP gets the client IP is that the same effect can be achieved by using the function getenv ('HTTP_X_FORWARDED_FOR') or getenv ('REMOTE_ADDR'). However, getenv () does not support PHP running in isapi mode of IIS.

REMOTE_ADDR is the IP when your client "shakes hands" with your server. If anonymous proxy is used, REMOTE_ADDR displays the proxy server's IP.

HTTP_CLIENT_IP is the HTTP header sent by the proxy server. If it is "super anonymous proxy", the none value is returned. Similarly, REMOTE_ADDR will be replaced with IP for this proxy server.

$_ SERVER ['REMOTE_ADDR']; //Access (possibly user, possibly proxy) IP

$_SERVER ['HTTP_CLIENT_IP']; //Proxy-side (may exist, can be forged)

$_SERVER ['HTTP_X_FORWARDED_FOR']; //On which IP the user is using the proxy (may exist or can be forged)

PHP code written according to the above situations:

<?php

function getip() {  

 $unknown =  ' unknown';  

 if ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] && strcasecmp($_SERVER['HTTP_X_FORWARDED_FOR'], $unknown) ) {  

  $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];  

 } 

 elseif ( isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], $unknown) ) {  

  $ip = $_SERVER['REMOTE_ADDR'];  

 } 

}

?>