Request.ServerVariables（“REMOTE_ADDR”）与Request.ServerVariables（“HTTP_X_FORWARDED_FOR”）的安全隐患

Let's say we're tracking the end-user IP for a web service:

假设我们正在跟踪Web服务的最终用户IP:

ip = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If ip = "" Then
    ip = Request.ServerVariables("REMOTE_ADDR")
End If

I've read that this is the best method of retrieving end-user IP because it works even for users on a transparent proxy.

我已经读过这是检索最终用户IP的最佳方法,因为它甚至适用于透明代理上的用户。

If we're using the end-user IP address to filter malicious users, are there are any security implications with the above method instead of, say, just using Request.ServerVariables("REMOTE_ADDR")?

如果我们使用最终用户IP地址来过滤恶意用户,那么上述方法是否有任何安全隐患,而不是仅使用Request.ServerVariables(“REMOTE_ADDR”)?

For example, if we banned a malicious user by end-user IP, could they easily change their IP via a proxy and continue using our web service?

例如,如果我们通过最终用户IP禁止恶意用户,他们是否可以通过代理轻松更改其IP并继续使用我们的Web服务?

Thanks in advance for your help.

在此先感谢您的帮助。

2 个解决方案

#1

REMOTE_ADDR is generated by the web server based on the connection from the client. HTTP_X_FORWARDED_FOR is based on a HTTP header sent by the client.

REMOTE_ADDR由Web服务器根据客户端的连接生成。 HTTP_X_FORWARDED_FOR基于客户端发送的HTTP标头。

You can't trust input from the client, particularly input that is easily faked, such as HTTP headers. Clients can stick anything into that HTTP_X_FORWARDED_FOR header.

您不能信任来自客户端的输入,尤其是容易伪造的输入,例如HTTP标头。客户端可以将任何内容粘贴到HTTP_X_FORWARDED_FOR标头中。

#2

If the users are using a transparent proxy then the above code will get the real IP address. If they're using an anonymous proxy, though (like Anonymizer) then there's really no way to get the users actual IP address.

如果用户使用透明代理,则上面的代码将获得真实的IP地址。如果他们使用的是匿名代理(如Anonymizer),那么实际上无法获得用户的实际IP地址。

#1