38

I have a spanish website and I do not allow people from non-european countries to register and to login.

Some time ago I started to receive messages from users who can not login. When I ask for their IP address they tell something like: 66.249.93.202. It's Google's IP adress. How do they get it in their mobile phones? What they have to do to use their real IP address?

user1406271
  • 1,071
  • 4
  • 14
  • 20
  • 12
    This might become even more common as IPv6 becomes popular, and people use IPv6-to-4 proxies. If you're going to geo-target, do support IPv6 and do not make too many assumptions on the nationality of mobile phones. – MSalters Jan 26 '15 at 15:34
  • 39
    To add to MSalters's comment, don't rely on IPs at all; malicious users will work around it anyway (VPNs, open proxies, etc) and you only end up annoying legitimate users. –  Jan 26 '15 at 16:43
  • 14
    What happens when one of your users from Barcelona travels to Tel Aviv? Will she not be able to log into her account while on business travel? – dotancohen Jan 27 '15 at 07:29
  • 1
    if you want to avoid the Google IP address just serve your customers via HTTPS, that will bypass the Data Compression Proxy – Ricardo Feb 09 '15 at 14:54

5 Answers5

59

What you're seeing is the Google proxy address.
Mobile users with a chrome browser (either Android or iOS) that have the bandwidth management features turned on will often be seen as using one of these addresses as the requester as described here.

In essence the data you're serving is being requested by the Google Data Compression Proxy, optimized and sent back to the end-user.

What they have to do to use their real IP address.

They shouldn't be doing anything differently.
You can check the x-forwarded-for header as explained in the previously linked documentation.

Reaces
  • 5,597
  • 4
  • 38
  • 46
  • I'm amazed Google is offering a feature that encryption is detrimental to. – user253751 Jan 27 '15 at 07:07
  • @immibis It's either that, or pulling a [nokia](http://gigaom.com/2013/01/10/nokia-yes-we-decrypt-your-https-data-but-dont-worry-about-it/). You can't optimize what you can't decrypt, and you can't lobby for a https only internet and decrypt it for your own benefit. – Reaces Jan 27 '15 at 09:47
  • 4
    Note that XFF header can be easily spoofed, so there is a solution from wikimedia to check if it's "trusted" XFF header: http://meta.wikimedia.org/wiki/XFF_project – Sanya_Zol Jan 27 '15 at 10:56
25

Probably they are using Google data compression proxy (https://developer.chrome.com/multidevice/data-compression).

And to answer your question (from the same page):

As a site owner, how do I perform IP geo-targeting?
The IP address of the mobile device is forwarded to the destination server via the X-Forwarded-For header. Site owners should check for this header to correctly determine the location of the user based on client's IP address.

faker
  • 17,496
  • 2
  • 60
  • 70
  • 3
    Seems like we posted nearly simultaneously :D – Reaces Jan 26 '15 at 12:08
  • 3
    @Reaces you were 14 seconds faster :D – faker Jan 26 '15 at 12:08
  • 1
    The problem with X-Forwarded-For is that you first need to check the actual IP against a list of trusted proxies before you can trust the header. Else the user can simply send the header themselves and choose any IP they like. – CodesInChaos Jan 28 '15 at 16:10
23

You can get the user's IP address directly if you simply serve the site over HTTPS.

You probably should be doing this anyway - especially since you mentioned these are login and registration pages.

Quoting from the Data compression Proxy page mentioned in other answers:

Is my secure traffic optimized by the compression proxy?

No, data compression proxy operates on non-encrypted traffic: HTTPS requests are sent directly from the mobile device to the destination server.

Community
  • 1
loopbackbee
  • 1,395
  • 1
  • 10
  • 21
7

Maybe these users use Chrome (mobile) with Data Compression Proxy ( https://developer.chrome.com/multidevice/data-compression )

You can use X-Forwarded-For HTTP header to geo-locate user based on originial user IP (See FAQ)

sfk
  • 644
  • 4
  • 11
  • The `X-Forwarded-For` header can easily be spoofed, so it's not safe relying on this header. – Tim Jun 14 '18 at 09:43
1

I have got same issue. But I didn't get real IP in X-Forwarded-For I have data saver enabled but X-Forwarded-For index is not set on Header information. Also I checked HTTP_X_REAL_IP index. It is also set with google IP address.

Finally I found correct IP in index HTTP_FORWARDED value as for=203.192.231.124

echo $_SERVER['HTTP_FORWARDED']

So just remove text for= from value & you will get IP.

$ip = str_replace('for=','', $_SERVER['HTTP_FORWARDED']);

Makarand Mane
  • 111
  • 3