PHP, Visitor IP address and invisible proxies

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I was faced with a difficult configuration issue a few days ago with
another companys web service. In short, their web service requires the
user to login on their page before their service can be used through
another application. During the login phase the remote server tries to
determine the visitors ip-address and after that only allows the use of
the external application from that ip-address.

As most of us well know, there really is no reliable way to get the
visitors ip-address through php or other server-side scripting.
Troubleshooting my connection issues I found out that our ISP is using a
completely transparent proxy in between. It does not add extra headers
to its requests, so the webserver has no idea it is actually fetching
the proxys ip-address instead of mine.

Quite often proxies add the real ip-address in the request headers
($_SERVER["HTTP_X_FORWARDED_FOR"]), but my ISP's transparent proxy does
not do this. Obviously the service was unusable, and I know that there
would be other ways for the company to deal with the identification. I
Finally got around the issue after using some ugly workarounds.

(the "livehttpheaders" mozilla extension allows me to manually add
request headers to single page requests, although it is pretty much work
and has to be done manually for each request. My ISP's proxy seems to
pass these extra headers through untouched, so I was able to manually
define http_x_forwarded_for as my ip and got it all working, although
now this needs to be done with every login).

While investigating the problem I came to face 2 questions that I would
like answers to.

1) Despite the completely transparent proxy, I found 2 pages in the
internet that _did_ report my real IP-address despite of the proxy in
between. These were and Any and
all other such pages always returned my proxys ip-address instead. I
suspect that the two working sites use some much more sophisticated
technique to finding out my ip-address that just server variables or
headers, but I am unsure what that is (Some kind of routing analysis
perhaps?). So _how on earth do or
find out the real ip-address instead of the completely invisible proxy
in between_ ?

2) In the future, to make analysing similar problems easier, or to just
add depth to the experiments with web services, it would help a lot to
have an easier way to set request headers. Are there any other
extensions/plugins/software to edit my request headers that the mozilla
livehttpheaders? It would be good if I could permanently set some
request headers that would always be applied to my requests, or applied

Thanks in advance.


Re: PHP, Visitor IP address and invisible proxies

Quoted text here. Click to load it

   Not for me, at least when I tried. So, I guess, your proxy actually
sends your IP to them in _some_ headers. Probably you should loop
through the $_SERVER  variables to findout that.

Quoted text here. Click to load it

   Again I don't think so. But, it's quite easy to find if the IP is
proxy or not.

Quoted text here. Click to load it

   I don't know. Perhaps you should hack the source of

  <?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com    Blog: /

Re: PHP, Visitor IP address and invisible proxies


There is no way of doing this reliably. The only way to guarantee that
you have the end users ip address and not an intermediate proxy is to
ensure that the request was HTTPS. The problem first came to light when
I discovered when looking at AOL users (the AOL network makes extensive
use of proxies that overwrite the end user's ip address during the
inbound request), and there were no HTTP headers, not even
HTTP_X_FORWARDED_FOR that would me the correct ip. In fact I managed to
demonstrate that the end user ip address could always hidden by opening
an AOL account for this express purpose.


Re: PHP, Visitor IP address and invisible proxies

R. Rajesh Jeba Anbiah wrote:
Quoted text here. Click to load it

The transparent proxy set up by Telefónica (main company here in Spain)
adds x-forwarded-for to the headers:

if (getenv("HTTP_X_FORWARDED_FOR")) {
        $ip    = getenv("HTTP_X_FORWARDED_FOR");
        $host  = gethostbyaddr($ip);
        $proxy = "sí: " . getenv ("REMOTE_ADDR");
} else {
        $ip    = getenv("REMOTE_ADDR");
        $host  = gethostbyaddr($ip);
        $proxy = "no";

Quoted text here. Click to load it

Site Timeline