1

I have a test php code. Which essentially grabs the IP of someone and emails it to an address. I plan later on storing it in a database, but just for testing purposes I have put it as emailing me.

My issue is, I have cloudflare enabled so when I use getenv(REMOTE_ADDR) it gives me cloudflare's IP rather than the actual visitors IP. Is there a way I can get the visitor's IP?

<?php
$ip = getenv(REMOTE_ADDR);
mail("email@domain.com", "You got a visitor", "IP: ".$ip);
?>
Mikie
  • 125
  • 1
  • 7

2 Answers2

1

If you're using Nginx you can also just correct this at the web server level before PHP even gets involved, in which case $ip = getenv(REMOTE_ADDR); will then give you the "real" IP of the visitor. In nginx you'd whitelist Cloudflare's IPs in the nginx.conf file using set_real_ip_from XXX for each of Cloudflare's IP ranges.

Without the web sever level fix I used:

if ($ip=='') $ip = $_SERVER['HTTP_CF_CONNECTING_IP'];

When I had fixed the IP logging issue at the web server level I used:

if ($ip=='') $ip = $_SERVER['REMOTE_ADDR'];
xxdesmus
  • 1,293
  • 9
  • 16
0

Of course it is, Cloudflare hides your server real address from the user by intermediating the connection (reverse Proxy), and at the same rate you see the proxy's IP accessing the page instead of the user's.

But they report the real IP through the header CF-Connecting-IP and other useful headers Cloudflare generate to figure out the user's real origin.

Try again with $_SERVER['HTTP_CF_CONNECTING_IP'] instead of getenv(REMOTE_ADDR) and see what happens.

Havenard
  • 27,022
  • 5
  • 36
  • 62
  • I have replaced `$ip = getenv(REMOTE_ADDR);` with `$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];`. Will report back and see what the results are. – Mikie Sep 17 '18 at 02:55
  • then `$ip` is just empty. Has nothing in it – Mikie Sep 17 '18 at 02:57
  • Try `$_SERVER['HTTP_CF_CONNECTING_IP']`. – Havenard Sep 17 '18 at 02:57
  • 1
    It also should be noted that can be spoofed. The requesting IP should be verified as a CF server first. – user3783243 Sep 17 '18 at 03:00
  • Technically true, but in a perfect world the user should never know the server's real IP, that would defeat the whole point of using Cloudflare to begin with. – Havenard Sep 17 '18 at 03:02
  • 1
    @user3783243 most people don't spoof though. Not really worried about hackers too much. – Mikie Sep 17 '18 at 03:04
  • @Mikie I don't know how your application is being used, it's just a note for future visitors. This solution wouldn't be secure for an application using IP authentication. – user3783243 Sep 17 '18 at 03:06
  • oh I see @user3783243. I'm just trying to learn things, but I will note this if I ever get better at php and make something cool. – Mikie Sep 17 '18 at 03:08
  • @user3783243 Well they can spoof `REMOTE_ADDR` too so I wouldn't be losing sleep over that. Just make sure `HTTP_CF_CONNECTING_IP` is actually an IP before injecting it in an SQL query or something and its good to go. – Havenard Sep 17 '18 at 03:17
  • @Havenard If `REMOTE_ADDR` is spoofed the response would be sent back to the fake address, not the client's address. So the secured content would still be safe. I'm not talking about malicious code, I'm referring to IP authentication. (If there is a SQL aspect to this an IP shouldn't be used for injection prevention) – user3783243 Sep 17 '18 at 03:44
  • @user3783243 First of all, IP should never be used for authentication purposes, even if it was completely reliable as source identification, which it is not. This is basically only useful for logging and bad at that too. The only danger of using `HTTP_CF_CONNECTING_IP` over `REMOTE_ADDR` is that while `REMOTE_ADDR` is guaranteed to be a IP address, `HTTP_CF_CONNECTING_IP` is user input and can basically contain anything, so if your logging is done in database you should beware this is a SQL manipulation vector and should be filtered just as any other user input before being used. – Havenard Sep 17 '18 at 03:50
  • @user3783243 As reference, Joomla could be exploited by something like that. https://blog.cloudflare.com/the-joomla-unserialize-vulnerability/ – Havenard Sep 17 '18 at 03:53
  • @Havenard Okay? Not really what I was talking about – user3783243 Sep 17 '18 at 03:59