REMOTE_ADDR 是否有可能为空?
据我所知,网络服务器(Apache/Nginx)根据请求用户代理声明的位置提供($_SERVER['REMOTE_ADDR'])。所以我知道他们可能在撒谎,但是这个值有可能是空白吗?网络接口或网络服务器是否会接受没有正确形成的 IP 的请求?
As far as I'm aware, the webserver (Apache/Nginx) provides the ($_SERVER['REMOTE_ADDR']) based on the claimed location of the requesting user agent. So I understand they can be lying, but is it possible that this value could be blank? Would the network interface or webserver even accept a request without a correctly formed IP?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
理论上是可能的,因为这取决于 http 服务器或至少是相应的 PHP SAPI。
在实践中,除了 CLI SAPI 之外,我还没有遇到过这种情况。
编辑:对于 Apache,这似乎总是被设置的,因为
ap_add_common_vars总是将其添加到最终由 Apache 模块 PHP SAPI 读取的表中(免责声明:我对 Apache 内部结构的了解非常有限)。如果在 CGI 环境中使用 PHP,RFC 3875 中的规范似乎保证了该变量的存在:
It is theoretically possible, as the matter is up to the http server or at least the corresponding PHP SAPI.
In practice, I haven't encountered such a situation, except with the CLI SAPI.
EDIT: For Apache, it would seem this is always set, as
ap_add_common_varsalways adds it to the table that ends up being read by the Apache module PHP SAPI (disclaimer: I have very limited knowledge of Apache internals).If using PHP in a CGI environment, the specification in RFC 3875 seems to guarantee the existence of this variable:
是的。目前,我在 Apache-behind-Nginx 日志中看到“未知”值,日志中看起来像是正常的请求/响应序列。我相信这是可能的,因为
mod_extract_forwarded正在根据X-Forwarded-For标头中的数据修改重置 REMOTE_ADDR 的请求。因此,原始REMOTE_ADDR值可能有效,但作为通过反向代理和 Apache 的一部分,REMOTE_ADDR在到达应用程序时显得无效。如果您已经安装了 Perl 的 libwww-perl,您可以像这样测试这种情况(将 example.com 更改为您自己的域或应用程序):(
您还可以使用任何其他允许您手工制作的工具带有自定义请求标头的 HTTP 请求。)
现在,检查您的访问日志以查看它们记录的值,并检查您的应用程序以了解它们如何处理错误输入。 `
Yes. I currently see values of "unknown" in my logs of Apache-behind-Nginx, for what looks like a normal request/response sequence in the logs. I believe this is possible because
mod_extract_forwardedis modifying the request to reset REMOTE_ADDR based on data in theX-Forwarded-Forheader. So, the originalREMOTE_ADDRvalue was likely valid, but as part of passing through our reverse proxy and Apache,REMOTE_ADDRappears invalid by the time it arrives at the application.If you have installed Perl's
libwww-perl, you can test this situation like this (changing example.com to be your own domain or application):( You can also use any other tool that allows you to handcraft HTTP requests with custom request headers. )
Now, go check your access logs to see what values they logged, and check your applications to see how they handled the bad input. `
嗯,它是保留的但可写。我见过一些写得不好的应用程序在超全局变量上乱写乱画——脚本是否可以覆盖它,例如使用
$_SERVER['REMOTE_ADDR'] = '';?除此之外,即使请求被代理,也应该有代理的地址 - 可能是某种内部重写模块搞乱了它(
mod_rewrite允许内部重定向,不确定是否它影响这个)?Well, it's reserved but writable. I've seen badly written apps that were scribbling all over the superglobals - could the script be overwriting it, e.g. with
$_SERVER['REMOTE_ADDR'] = '';?Other than that, even if the request were proxied, there should be the address of the proxy - could it be some sort of internal-rewrite module messing with it (
mod_rewriteallows internal redirects, not sure if it affects this)?它不应该为空,并且没有任何东西无法连接到您的网络服务。无论连接的是什么,都必须有一个 IP 地址才能发送和接收数据。该 IP 地址是否可信是另一回事。
It shouldn't be blank, and nothing can't connect to your web service. Whatever's connecting must have an IP address to send and receive data. Whether that IP address can be trusted is a different matter.