vectorface / whip Goto Github PK
View Code? Open in Web Editor NEWA PHP class for retrieving accurate IP address information for the client.
License: MIT License
A PHP class for retrieving accurate IP address information for the client.
License: MIT License
Hi ,
Instead of
Whip::IPV4
make it
\Vectorface\Whip\IpRange\IpWhitelist::IPV4
same changes for IPV6
Since the last update, the extractAddressFromHeaders
method is always returning false
. I'm working on a fix an will open a PR soon.
Is user is using anonymous proxy, where IP have multiple IP addresses
$_SERVER["HTTP_X_FORWARDED_FOR"] = '1.2.3.4, 2.3.4.5'
it is possible to return those IPs and not only one?
In the implementation, option CLOUDFLARE_HEADERS checks HTTP_CF_CONNECTING_IP
which can be injected into HTTP request by attacker.
Reference:
Line 72 in daa06ba
It's worth mentioning in the documentation.
The proper way to do it is to check CF IP list with all masks. IPs are avaliable on website:
https://www.cloudflare.com/ips/
What would happen when the following would be done:
I have WHIP setup with a custom-reverse-proxy which would use a header called: "HTTP_X_FORWARDED" for the clients real ip-address.
So let's say BOB sends a normal HTTP request from the ip-address of 1.1.1.1 through the reverse proxy (which is white-listed, and the PROXY_HEADERS mask is enabled).
The revere proxy would pass along the 1.1.1.1 fine, and then WHIP would see it and correctly tell the ip-address is 1.1.1.1
Now Bob sends an extra header with the following: "HTTP_CLIENT_IP: 2.2.2.2"
Would WHIP not see HTTP_CLIENT_IP: 2.2.2.2 before it saw "HTTP_X_FORWARDED: 1.1.1.1" and therefor assume (wrongly) that the client's ip-address is 2.2.2.2?
If so, a possible fix could be to parse all the headers in the PROXY_HEADERS and check if they're all equal, if not the request is probably malicious, and WHIP should throw an exception.
Is it possible to add ability to get ip addresses from behind a nginx proxy?
[HTTP_X_REAL_IP] => 80.235.6.194
[HTTP_X_FORWARDED_FOR] => 80.235.6.194
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_HOST] => oidprovider.com
[HTTP_CONNECTION] => close
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
[HTTP_SEC_FETCH_SITE] => none
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_USER] => ?1
[HTTP_SEC_FETCH_DEST] => document
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.9,et;q=0.8,fi;q=0.7
[HTTP_COOKIE] => PHPSESSID=nlb325t04th0t2g0377bfp4ehf
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[LD_LIBRARY_PATH] => /usr/local/apache2/lib
HTTP_X_REAL_IP is one of the headers used to pass real user IP. Is it supported? There is nothing in the docs.
Hi, @jdpanderson make very very good fix: #14 on May 17
But latest version from packagist still without this pull request.
Can you please update patch version for packagist.org ?
Hi,
I would like to use your lib, but I am getting unexpected results:
$_SERVER = array(
'REMOTE_ADDR' => '24.24.24.24',
'HTTP_CF_CONNECTING_IP' => '1.1.1.1'
);
$whip = new Whip( Whip::CLOUDFLARE_HEADERS || Whip::REMOTE_ADDR );
echo $ip = $whip->getIpAddress(); //would expect 1.1.1.1
also this should not return false:
$_SERVER = array(
'HTTP_CF_CONNECTING_IP' => '1.1.1.1'
);
$whip = new Whip( Whip::CLOUDFLARE_HEADERS || Whip::REMOTE_ADDR );
echo $ip = $whip->getIpAddress();
this works:
$_SERVER = array(
'HTTP_CF_CONNECTING_IP' => '1.1.1.1'
);
$whip = new Whip( Whip::CLOUDFLARE_HEADERS);
echo $ip = $whip->getIpAddress();
Hi
at first thank you for developing this package.
we use this package in wp-statistics WordPress Plugin in new Version.
https://wordpress.org/plugins/wp-statistics/
Problem :
For one of our users, the $_SERVER is :
also we use your package in plugin :
$whip = new \Vectorface\Whip\Whip( Vectorface\Whip\Whip::PROXY_HEADERS | Vectorface\Whip\Whip::REMOTE_ADDR );
$user_ip = $whip->getValidIpAddress();
real client ip is : 51.255.84.122
$user_ip return a empty string for this user.
please help me .
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.