note: HTTP_X_FORWARDED_FOR 的偽造、安全性

2012112210:34

HTTP_X_FORWARDED_FOR
這個值是可以 (容易) 偽造的
也不一定能透過這個值來取得用戶端的真實 IP

HTTP_X_FORWARDED_FOR 的值可能長的像這樣:


unknown                                           (看!怪資料)

192.168.0.12, 192.168.236.1              (多組 IP !local ip 也來了)

101.14.2.1, 101.14.2.1

1.168.1.1, 172.30.4.1, 61.219.37.1      ( 61.219.37.1 = sys1-p2-1.hiproxy.hinet.net)

2001:288:2325:20:d1e7:18:xxx:xxx     (居然也有 IPv6 )

127.0.0.1                                          (看!怪資料)
 

!!Server 端無法靠 HTTP_X_FORWARDED_FOR 來取的用戶端的真實 IP

!! HTTP_X_FORWARDED_FOR 極可能帶來 SQL Injection 的危險

!!HTTP_X_FORWARDED_FOR 中有多組 IP 是因為一層層 proxy server 加上去的(由左往右加上去,以逗號隔開)


另外還有個相關的:

HTTP_VIA

1.1 sys1-p1-191:8100 (squid/2.7.STABLE9), 1.0 proxyout:8200 (squid/2.7.STABLE9), 1.0 proxyout:8300 (squid/2.7.STABLE9)
1.1 ICCCI-FC14-i7 (squid/3.1.12), 1.1 localhost.localdomain (squid/3.1.10)
1.1 Cache2 (NetCache NetApp/6.0.7)
1.1 l4proxy03 (squid/3.1.10)
1.0 translate.google.com TWSFE/0.9