Can we really limit the user IP on the web server side of the website?

I just asked a question about nginx forwarding upstream and changing the forwarding source IP. Since the IP of the access request source can be changed at will, the IP we get on the web server cannot be completely trusted. So how should we restrict it? Is the user's real IP address, or is this path really not feasible?

Reply content:

I just asked a question about nginx forwarding upstream and changing the forwarding source IP. Since the IP of the access request source can be changed at will, the IP we get on the web server cannot be completely trusted. So how should we restrict it? Is the user's real IP address, or is this path really not feasible?

nginx was built by [you], or was it built by [banned users]?

HTTP_X_FORWARD_FOR can be forged, but REMOTE_ADDR cannot be changed.

If it is built by [Banned User]:
You can get the IP of the nginx server through $_SERVER["REMOTE_ADDR"] and block it directly.

If [you] built nginx:
Although the user's IP can be obtained through $_SERVER["HTTP_X_FORWARD_FOR"], it may be forged.

<code>proxy_set_header X-Forward-For $remote_addr</code>

The best way is to add private HTTP headers. When nginx forwards, add private http headers I don’t know what needs to be faked.

<code>proxy_set_header X-GAGAGA $remote_addr</code>

In addition, the HL system of the proxy platform currently used by Alibaba's WW is not strictly filtered by HTTP_X_FORWARD_FOR, so carefully constructed requests can be injected. . . (Now the new version has been fixed)

Regarding forgery, if you use Linux/Unix/OSX, the built-in curl can do it:

<code>curl abc.com/test.php -H "X-FORWARD-FOR:8.8.8.8"</code>

If you don’t filter, there happens to be a function to directly determine whether to blacklist through IP or record IP operation logs in the background:

<code>#想注入就注入
curl miaoqiyuan.cn/test.php -H "X-FORWARD-FOR:' or 'a'='a"
#想XSS就XSS
curl miaoqiyuan.cn/test.php -H "X-FORWARD-FOR:alert('a')"</code>

I came up with a plan. When configuring nginx, I can add proxy_set_header X-Forward-For $remote_addr configuration. Then $_SERVER["HTTP_X_FORWARD_FOR"] gets the user's real IP, and then restricts the IP in the program.