is http_x_forwarded_for safe?
In requests, is it able to modify the http_x_forwarded_for with fake ip?
Can hackers do that?
是http_x_forwarded_for安全吗?在请求中,是否能够使用假ip修改http_x_forwarded_for?黑客可以这样做吗?
2 个解决方案
#1
0
Due to the way IP networks work, there is no way to tell the actual IP address of a client connecting to your server. The question even doesn't make sense. If NAT is used on the network, which IP would you want to see as client IP, the internal (local) one on the NATed network, or the first public IP? What would you gain from the latter, when whole internet provider companies work with client networks behind a nat (although this is getting less common)?
由于IP网络的工作方式,无法分辨连接到服务器的客户端的实际IP地址。这个问题甚至没有意义。如果在网络上使用NAT,您希望将哪个IP视为客户端IP,NATed网络上的内部(本地)IP,还是第一个公共IP?当整个互联网提供商公司与nat背后的客户网络合作时,你会从后者中获得什么(虽然这种情况越来越不常见)?
You need to acknowledge that in an IP network, traffic passes through many nodes, some of which may change the apparent IP address of a request. These include NAT servers and proxies of different sorts, and you have no way to tell what happened to a packet before reaching your server.
您需要确认,在IP网络中,流量通过许多节点,其中一些节点可能会更改请求的明显IP地址。这些包括NAT服务器和不同类型的代理,您无法在到达服务器之前判断数据包发生了什么。
Also in HTTP, any request header can be forged. This includes about any variable that starts with SERVER_ in your favourite language. These cannot be trusted, a user can send whatever he wants.
同样在HTTP中,任何请求标头都可以伪造。这包括以您喜欢的语言以SERVER_开头的任何变量。这些不可信,用户可以发送他想要的任何内容。
The only exception is the actual apparent client IP, which is much harder to forge, but only gives you the last hop (the last proxy, or the last nat server).
唯一的例外是实际明显的客户端IP,它更难伪造,但只提供最后一跳(最后一个代理,或最后一个nat服务器)。
Also most of the times if you need to know the client IP that precisely, something elae is wrong on the logic. You have to accept for example that a client IP is in no way an identifier of a user (a person).
此外,大多数情况下,如果您需要准确了解客户端IP,那么逻辑上就会出现错误。例如,您必须接受客户端IP绝不是用户(人)的标识符。
#2
0
is http_x_forwarded_for safe?
It depends on the proxy server you rely on. The proxy server has a complete control over this header and it can set whatever value in the header. So, if you are in control of the proxy, you can trust the attribute and can confirm its the correct information. I have used this successfully in the past to read the Client IP address with the trusted proxy server setup.
这取决于您依赖的代理服务器。代理服务器完全控制此标头,它可以设置标头中的任何值。因此,如果您控制代理,则可以信任该属性并确认其正确的信息。我过去曾成功使用此功能来使用可信代理服务器设置读取客户端IP地址。
is it able to modify the http_x_forwarded_for with fake ip?
Can hackers do that?
If you are talking about modifying the request at a particular hop in a network containing multiple proxy servers before it reaches the server, then yes its possible. So, its depends on your proxy setup on how you control it. If its about change the header over the network tunnel by intercepting the proxy request forwarded, IMO it may be possible but can be avoided using a proper handshake protocol.
如果您正在讨论在到达服务器之前在包含多个代理服务器的网络中的特定跃点处修改请求,那么是可能的。因此,它取决于您如何控制它的代理设置。如果它通过拦截转发的代理请求来改变网络隧道上的报头,则IMO可能是可能的,但可以使用适当的握手协议来避免。
#1
0
Due to the way IP networks work, there is no way to tell the actual IP address of a client connecting to your server. The question even doesn't make sense. If NAT is used on the network, which IP would you want to see as client IP, the internal (local) one on the NATed network, or the first public IP? What would you gain from the latter, when whole internet provider companies work with client networks behind a nat (although this is getting less common)?
由于IP网络的工作方式,无法分辨连接到服务器的客户端的实际IP地址。这个问题甚至没有意义。如果在网络上使用NAT,您希望将哪个IP视为客户端IP,NATed网络上的内部(本地)IP,还是第一个公共IP?当整个互联网提供商公司与nat背后的客户网络合作时,你会从后者中获得什么(虽然这种情况越来越不常见)?
You need to acknowledge that in an IP network, traffic passes through many nodes, some of which may change the apparent IP address of a request. These include NAT servers and proxies of different sorts, and you have no way to tell what happened to a packet before reaching your server.
您需要确认,在IP网络中,流量通过许多节点,其中一些节点可能会更改请求的明显IP地址。这些包括NAT服务器和不同类型的代理,您无法在到达服务器之前判断数据包发生了什么。
Also in HTTP, any request header can be forged. This includes about any variable that starts with SERVER_ in your favourite language. These cannot be trusted, a user can send whatever he wants.
同样在HTTP中,任何请求标头都可以伪造。这包括以您喜欢的语言以SERVER_开头的任何变量。这些不可信,用户可以发送他想要的任何内容。
The only exception is the actual apparent client IP, which is much harder to forge, but only gives you the last hop (the last proxy, or the last nat server).
唯一的例外是实际明显的客户端IP,它更难伪造,但只提供最后一跳(最后一个代理,或最后一个nat服务器)。
Also most of the times if you need to know the client IP that precisely, something elae is wrong on the logic. You have to accept for example that a client IP is in no way an identifier of a user (a person).
此外,大多数情况下,如果您需要准确了解客户端IP,那么逻辑上就会出现错误。例如,您必须接受客户端IP绝不是用户(人)的标识符。
#2
0
is http_x_forwarded_for safe?
It depends on the proxy server you rely on. The proxy server has a complete control over this header and it can set whatever value in the header. So, if you are in control of the proxy, you can trust the attribute and can confirm its the correct information. I have used this successfully in the past to read the Client IP address with the trusted proxy server setup.
这取决于您依赖的代理服务器。代理服务器完全控制此标头,它可以设置标头中的任何值。因此,如果您控制代理,则可以信任该属性并确认其正确的信息。我过去曾成功使用此功能来使用可信代理服务器设置读取客户端IP地址。
is it able to modify the http_x_forwarded_for with fake ip?
Can hackers do that?
If you are talking about modifying the request at a particular hop in a network containing multiple proxy servers before it reaches the server, then yes its possible. So, its depends on your proxy setup on how you control it. If its about change the header over the network tunnel by intercepting the proxy request forwarded, IMO it may be possible but can be avoided using a proper handshake protocol.
如果您正在讨论在到达服务器之前在包含多个代理服务器的网络中的特定跃点处修改请求,那么是可能的。因此,它取决于您如何控制它的代理设置。如果它通过拦截转发的代理请求来改变网络隧道上的报头,则IMO可能是可能的,但可以使用适当的握手协议来避免。