如何从 HTTP 标头获取客户端 IP 地址?
我知道查看这两个变量是标准做法。 当然,它们很容易被欺骗。 我很好奇您多久能期望这些值(尤其是 HTTP_X_FORWARDED_FOR
)包含真实信息,而不仅仅是被扰乱或被剥夺其值?
有人有这方面的经验或统计数据吗?
还有什么可以对获取客户端 IP 地址的任务有用吗?
I understand it's a standard practice to look at both these variables. Of course they can easily be spoofed. I'm curious how often can you expect these values (especially the HTTP_X_FORWARDED_FOR
) to contain genuine information and not just be scrambled or have their values stripped away?
Anyone with the experience or statistics on this stuff?
Is there anything else that can be useful for the task of getting the client's IP address?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
没有真正回答您的问题,但是:
在我看来,通常依赖客户端 IP 地址并不是一个好的做法,因为它无法以独特的方式识别客户端。
路上的问题是,在很多情况下,IP 并没有真正与客户端对齐:
我无法提供关于平均有多少 IP 地址可靠的统计数据,但我可以告诉您,几乎不可能判断给定的 IP 地址是否是真实的客户端地址。
No real answer to your question but:
Generally relying on the clients IP address is in my opinion not a good practice as it is not usable to identify clients in a unique fashion.
Problems on the road are that there are quite a lot scenarios where the IP does not really align to a client:
I cannot offer any statistics on how many IP addresses are on average reliable but what I can tell you that it is almost impossible to tell if a given IP address is the real clients address.
IP +“用户代理”对于唯一访问者来说可能更好。
IP + "User Agent" could be a better for unique visitor.
如果您使用代理,则应使用
X-Forwarded-For
:http://en.wikipedia.org/wiki/X-Forwarded-For这是一个 IETF 标准草案 得到广泛支持:
如果没有,这里是我见过的其他几个常见标头:
If you're behind a proxy, you should use
X-Forwarded-For
: http://en.wikipedia.org/wiki/X-Forwarded-ForIt is an IETF draft standard with wide support:
If not, here are a couple other common headers I've seen:
从 JS 文件中调用以下操作方法(获取 ipv4 IP 地址)。
保留断点后检查,并根据您的要求使用。
它对我来说工作得很好。
Call the Below Action Method from your JS file (To get the ipv4 ip address).
Check after keeping Breakpoint, and use as per your requirement.
Its working fine for me.
除了
REMOTE_ADDR
和HTTP_X_FORWARDED_FOR
之外,还可以设置一些其他标头,例如:HTTP_CLIENT_IP
HTTP_X_FORWARDED_FOR
可以以逗号分隔的 IP 列表HTTP_X_FORWARDED
HTTP_FORWARDED_FOR
HTTP_FORWARDED
X_REAL_IP
或X -真实IP
或x-real-ip
In addition to
REMOTE_ADDR
andHTTP_X_FORWARDED_FOR
there are some other headers that can be set such as:HTTP_CLIENT_IP
HTTP_X_FORWARDED_FOR
can be comma delimited list of IPsHTTP_X_FORWARDED
HTTP_X_CLUSTER_CLIENT_IP
HTTP_FORWARDED_FOR
HTTP_FORWARDED
X_REAL_IP
orX-Real-IP
orx-real-ip
这取决于您网站的性质。
我碰巧开发了一些 IP 跟踪很重要的软件,在合作伙伴站点使用的字段中,我猜大约 20% - 40% 的请求要么是可检测到的欺骗 IP,要么是标头被清空,具体取决于请求的时间。日期和他们来自哪里。 对于获得有机流量(即不通过合作伙伴)的网站,我预计良好 IP 的比例要高得多。
正如 Kosi 所说,请小心您的行为 - IP 绝不是识别唯一访问者的可靠方法。
It depends on the nature of your site.
I happen to work on a bit of software where IP tracking is important, and within a field consumed by parter sites I'd guess some 20% - 40% of requests are either detectably spoofed IPs or headers blanked out, depending on the time of day and where they came from. For a site which gets organic traffic (i.e. not through partners) I'd expect a much higher ratio of good IPs.
As Kosi said, be careful what you're doing with this - IPs are in no way a reliable way to identify unique visitors.
我已将 Grant Burton 的 PHP 代码移植到可针对 HttpRequestBase 调用的 ASP.Net 静态方法。 它可以选择跳过任何私有 IP 范围。
I've ported Grant Burton's PHP code to an ASP.Net static method callable against the HttpRequestBase. It will optionally skip through any private IP ranges.