这段取真实 IP 代码有没有需要优化或改进的地方?

欢迎各位大佬批评指正。。谢谢

if (isset($_SERVER)) {
 	// Use $_SERVER variables by preference
 	$HTTP_VARS = $_SERVER;
} else if (isset($_ENV)) {
 	// Fallback to PHP environment variables
 	$HTTP_VARS = $_ENV;
} else $HTTP_VARS = array();

// Step through the captured $_SERVER or $_ENV array, ignoring the case of the keys.
// (Some "authorities" indicate that the keys can be lower or mixed case!)
$ipAddrList = 'unknown';
foreach($HTTP_VARS as $key => $value) {
 	$key = strtoupper($key);
	$value = str_replace(' ', '', $value);// Get rid of embedded blanks

	if ($key == 'HTTP_FORWARDED') {
		// We're dealing with the new HTTP Forwarded: by=identifier; for=identifier; host=host; proto=protocol
		// See: https://tools.ietf.org/html/rfc7239
	    $value = str_replace(',for=', ',', strtolower($value));	// Make everything lower-case and then get rid of extraneous "for=" tags
	    $params = explode(';', $value);// Separate the Forwarded: parameters into an array
	    foreach ($params as $key => $value) {
		    if (substr($value,0,4) == 'for=') {
			    $ipAddrList = substr($value,4);// Everything after "for=" is now a comma-separated list of IPv4 or IPv6 addresses
			    break;
		    }
	    }
	    break;
    }
	if ($key == 'HTTP_X_FORWARDED_FOR') {
	    $ipAddrList = $value;
	    break;
    }
	if ($key == 'HTTP_X_FORWARDED') {
	    $ipAddrList = $value;
	    break;
    }
	if ($key == 'HTTP_FORWARDED_FOR') {
	    $ipAddrList = $value;
	    break;
    }
	if ($key == 'HTTP_CLIENT_IP') {
	    $ipAddrList = $value;
	    break;
    }
	if ($key == 'REMOTE_ADDR') {
	    $ipAddrList = $value;
	    break;
    }
}

$ip = preg_replace('~,.*~', '', $ipAddrList);	// Trim everything after the first comma, leaving just the first IPv4 or IPv6 address

$ip = str_replace(array('"', "'"), '', $ip);	// Get rid of quotation marks used in some addresses
if (substr($ip,0,1) == '[') {
	$ip = preg_replace('~\]:.*~', '', $ip);	// Get rid of IPv6 port number that follows closing square bracket
	$ip = str_replace(array('[', ']'), '', $ip);	// Get rid of square brackets enclosing IPv6 address
} else {
	$ip = preg_replace('~:.*~', '', $ip); // Get rid of IPv4 port number that follows last digit of address
}

unset($HTTP_VARS, $key, $value, $params, $ipAddrList); // We don't need this any more
$_SERVER['REMOTE_ADDR'] = $ip;

lhx2008

2019-01-02 09:42:21 +08:00

@xmlf 嗯嗯，没错，nginx 这样写会覆盖掉用户的私发头，所以服务器这边也不用验证 IP 了，是最简单的写法。验证 IP 用防火墙没问题。

不过真实情况还可能会有多级反代，比如 nginx 外面还挂一个 CDN，这样基本上只能在 X-Forward-For 做好验证，因为这个头有标准的，一般第一个是第一级反代加的真实 IP，后面的 IP 真实性就没法保证了。

至于 HTTP 匿名代理的 IP，我也没查有什么办法，不过现在除了爬虫，应该很少人用了，如果 ss 代理的话，不可能获取到用户真实 IP 的，只能获取到代理 IP

当然，你这个代码还没有考虑 IPV6 的情况。

xmlf

2019-01-02 09:51:07 +08:00

@lhx2008 非常感谢大佬指点。为了给后面人更明确和清晰的答案。能否有请大佬将代码最终完善，并贴出全部代码?
拜谢！
另外，在我上面贴出的代码最后就是考虑了 IPV6 的。

$ip = preg_replace('~,.*~', '', $ipAddrList); // Trim everything after the first comma, leaving just the first IPv4 or IPv6 address

$ip = str_replace(array('"', "'"), '', $ip); // Get rid of quotation marks used in some addresses
if (substr($ip,0,1) == '[') {
$ip = preg_replace('~\]:.*~', '', $ip); // Get rid of IPv6 port number that follows closing square bracket
$ip = str_replace(array('[', ']'), '', $ip); // Get rid of square brackets enclosing IPv6 address
} else {
$ip = preg_replace('~:.*~', '', $ip); // Get rid of IPv4 port number that follows last digit of address
}

unset($HTTP_VARS, $key, $value, $params, $ipAddrList); // We don't need this any more
$_SERVER['REMOTE_ADDR'] = $ip;