How to get a user's client IP address in ASP.NET?

Often you will want to know the IP address of someone visiting your website. While ASP.NET has several ways to do this one of the best ways we've seen is by using the "HTTP_X_FORWARDED_FOR" of the ServerVariables collection.

Here's why...

Sometimes your visitors are behind either a proxy server or a router and the standard Request.UserHostAddress only captures the IP address of the proxy server or router. When this is the case the user's IP address is then stored in the server variable ("HTTP_X_FORWARDED_FOR").

So what we want to do is first check "HTTP_X_FORWARDED_FOR" and if that is empty we then simply return ServerVariables("REMOTE_ADDR").

While this method is not foolproof, it can lead to better results. Below is the ASP.NET code in VB.NET, taken from James Crowley's blog post "Gotcha: HTTP_X_FORWARDED_FOR returns multiple IP addresses"

protected string GetIPAddress()

{

    System.Web.HttpContext context = System.Web.HttpContext.Current;

    string ipAddress = context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];

    if (!string.IsNullOrEmpty(ipAddress))

    {

        string[] addresses = ipAddress.Split(',');

        if (addresses.Length != )

        {

            return addresses[];

        }

    }

    return context.Request.ServerVariables["REMOTE_ADDR"];

}
 
Be sure to not use this code for security purposes because anyone can fake HTTP_X_FORWARDED_FOR or similar headers. So if you use this for security related logging or security checks, an attacker can bypass it easily.

版本二   考虑了代理

 private string GetUserIP(NameValueCollection serverVariables)

        {

            string userIp;

            if (serverVariables["HTTP_VIA"] != null)

            {

                var ip = serverVariables["HTTP_X_FORWARDED_FOR"];

                if (ip != null)

                {

                    userIp = ip.Split(',')[];

                }

                else

                {

                    userIp = serverVariables["REMOTE_ADDR"];

                }

            }

            else

            {

                userIp = serverVariables["REMOTE_ADDR"];

            }

            return userIp;

        }

版本三  考虑HTTP_X_REAL_IP

private string GetIpFromServerVariables(NameValueCollection serverVariables)

        {

            if (serverVariables == null)

            {

                return null;

            }

            var ip = serverVariables["HTTP_X_FORWARDED_FOR"];

            ip = ip?.Split(',')[];

            if (string.IsNullOrWhiteSpace(ip))

            {

                ip = serverVariables["HTTP_X_REAL_IP"];

            }

            if (string.IsNullOrWhiteSpace(ip))

            {

                ip = serverVariables["REMOTE_ADDR"];

            }

            return ip;

        }

What is the difference between Request.UserHostAddress and Request.ServerVariables[“REMOTE_ADDR”].ToString()

Short answer: The two are identical.

Long answer: To determine the difference between the two use Reflector (or whatever disassembler you prefer).

The code for the HttpRequest.UserHostAddress property follows:

public string UserHostAddress

{

    get

    {

        if (this._wr != null)

        {

            return this._wr.GetRemoteAddress();

        }

        return null;

    }

}

Note that it returns _wr.GetRemoteAddress(). The _wr variable is an instance of an HttpWorkerRequest object. There are different classes derived from HttpWorkerRequest and which one is used depends on whether you are using IIS 6, IIS 7 or beyond, and some other factors, but all of the ones you would be using in a web application have the same code for GetRemoteAddress(), namely:

public override string GetRemoteAddress()

{

    return this.GetServerVariable("REMOTE_ADDR");

}

As you can see, GetRemoteAddress() simply returns the server variable REMOTE_ADDR.

As far as which one to use, I'd suggest the UserHostAddress property since is doesn't rely on "magic strings."

Happy Programming

【干货分享】获取用户IP的正确姿势

如何获取用户的IP,这个需求简直是太常见了,像登录入口,注册入口,投票,日志记录,api接口中判断同一个ip单位时间内的请求数,可是怎么去获取用户的真实IP呢?

网上的代码很多,好多人直接拿来就用,却没有想到带来了很大的安全问题。

1.代码示例

这是网上的一个示范例子,我们很多同事也这么写,上面这个例子是php实现的,由于HTTP_CLIENT_IP,HTTP_X_FORWARDED_FOR,HTTP_X_FORWARDED,HTTP_X_CLUSTER_CLIENT_IP,HTTP_FORWARDED_FOR,HTTP_FORWARDED,HTTP_VIA (经过的 Proxy)这些以HTTP打头的server变量都是用户可控的,由此可导致xss,认证绕过等缺陷。

下面我们看下python的例子:

也是由于客户端变量可控导致获取的ip可为任意值。在此例中,X-Real-IP是nginx特有的,通过配置proxy_set_header X-Real-IP $remote_addr;从REMOTE_ADDR中取值。

2 X-Forwarded-For和 REMOTE_ADDR的区别

REMOTE_ADDR代表着客户端的IP,但是这个客户端是相对服务器而言的,也就是实际上与服务器相连的机器的IP(建立tcp连接的那个),这个值是不可伪造的,如果没有代理的话,这个值就是用户实际的IP值,有代理的话,用户的请求会经过代理再到服务器,这个时候REMOTE_ADDR会被设置为代理机器的IP值
正如前面所说,有了代理就获取不了用户的真实IP,由此X-Forwarded-For应运而生,它是一个非正式协议,在请求转发到代理的时候代理会添加一个X-Forwarded-For头,将连接它的客户端IP(也就是你的上网机器IP)加到这个头信息里,这样末端的服务器就能获取真正上网的人的IP了。
假设用户的请求顺序如下:
网民电脑ip->代理服务器1–>代理服务器2–>目标服务器
REMOTE_ADDR:代理服务器2的IP值
X-Forwarded-For就是:网民电脑IP,代理1的IP,代理2的IP
在这里只有REMOTE_ADDR是可信的,其他从客户端获取的数据都是不可信的,都是可伪造的。下面简单示例下一个篡改X-Forwarded-For的情况:

3 正确的代码示例

在X-Forwarded-For信息头中可以提取真实的用户IP,但是这个IP是可以伪造的,如果从X-Forwarded-For提取IP作为用户的IP对于存在登录次数,api速率限制等一些接口是致命的缺陷,因为任意构造出无数的合法或者非法IP地址。

而REMOTE_ADDR只是服务器前端的IP地址,如果没有代理就是用户的真实地址。这个是不可伪造的,而且代理是有限的,可以基于此来获取IP。在wordpress中,获取客户的IP地址代码如下:

4 总结
X-Forwarded-For可被用户伪造,不应该被信任;REMOTE_ADDR是使用“REMOTE_ADDR”机器的前一个建立tcp连接的机器的地址,是不可伪造的,在无代理时可以理解为用户的IP地址,有反向代理时,先将REMOTE_ADDR赋给X-Real-IP,最后可以从X-Real-IP中获取用户的IP。

参考文献:
http://gong1208.iteye.com/blog/1559835
http://devco.re/blog/2014/06/19/client-ip-detection/
http://blog.pengqi.me/2013/04/20/remote-addr-and-x-forwarded-for/

ASP.NET获取用户端的真实IP

改进版获取用户真实IP

/// <summary>

        /// 取得客户端真实IP。如果有代理则取第一个非内网地址

        /// Author:codeo.cn

        /// </summary>

        /// <returns></returns>

        public static string GetIPAddress()

        {

            string strresult = string.Empty;

            strresult = HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];

            if (strresult != null && strresult != string.Empty)

            {

                //可能有代理

                if (strresult.IndexOf(".") == -)    //没有“.”肯定是非IPv4格式

                {

                    strresult = null;

                }

                else

                {

                    if (strresult.IndexOf(".") != -)

                    {

                        //有“,”,估计多个代理。取第一个不是内网的IP。

                        strresult = strresult.Replace(" ", "").Replace("'", "");

                        string[] strarrtemparyip = strresult.Split(",;".ToCharArray());

                        for (int i = ; i < strarrtemparyip.Length; i++)

                        {

                            if (IsIPAddress(strarrtemparyip[i]) && strarrtemparyip[i].Substring(, ) != "10." && strarrtemparyip[i].Substring(, ) != "192.168" && strarrtemparyip[i].Substring(, ) != "172.16.")

                            {

                                return strarrtemparyip[i];    //找到不是内网的地址

                            }

                        }

                    }

                    else if (IsIPAddress(strresult))    //代理即是IP格式

                    {

                        return strresult;

                    }

                    else

                    {

                        strresult = null;       //代理中的内容 非IP,取IP

                    }

                }

            }

            string strIpAddress = (HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null && HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != string.Empty ? HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] : HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]);

            if (null == strresult || strresult == string.Empty)

            {

                strresult = HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"];

            }

            if (strresult == null || strresult == string.Empty)

            {

                strresult = HttpContext.Current.Request.UserHostAddress;

            }

            return strresult;

        }

        /// <summary>

        /// 判断是否是IP地址格式 0.0.0.0

        /// Author:codeo.cn

        /// </summary>

        /// <param name="strIp">待判断的IP地址</param>

        /// <returns>true or false</returns>

        private static bool IsIPAddress(string strIp)

        {

            if (strIp == null || strIp == string.Empty || strIp.Length <  || strIp.Length > )

            {

                return false;

            }

            string strRegformat = @"^d{1,3}[.]d{1,3}[.]d{1,3}[.]d{1,3}___FCKpd___0quot";

            Regex regex = new Regex(strRegformat, RegexOptions.IgnoreCase);

            return regex.IsMatch(strIp);

        }

Get Client IP的更多相关文章

  1. Client IP Address Client Identification

    HTTP The Definitive Guide Early web pioneers tried using the IP address of the client as a form of i ...

  2. Asp.Net Core get client IP

    不废话,直接上代码,你懂得. public string GetRequestIP(bool tryUseXForwardHeader = true) { string ip = null; // t ...

  3. Enables DNS lookups on client IP addresses 域名的分层结构

    虚拟域名访问,路由可以到达,但无输出. http://httpd.apache.org/docs/2.2/mod/core.html#hostnamelookups 移动解析 HttpDNS_域名解析 ...

  4. Django runserver show client ip

    get path of basehttp.py $ python >>> import site >>> site.getsitepackages() ['/usr ...

  5. nginx client ip配置

    server { listen 80; server_name localhost; location /{ root html; index index.html index.htm; proxy_ ...

  6. Enables DNS lookups on client IP addresses

    w虚拟域名访问,路由可以到达,但无输出. http://httpd.apache.org/docs/2.2/mod/core.html#hostnamelookups

  7. Get the client's IP address in socket.io

    From: https://www.wentong.org/codex/question-2018081564702.html When using socket.IO in a Node.js se ...

  8. ASP.NET获取真正的客户端IP地址的6种方法

    Request.ServerVariables("REMOTE_ADDR") 来取得客户端的IP地址,但如果客户端是使用代理服务器来访问,那取到的就是代理服务器的IP地址,而不是真 ...

  9. 根据Request获取客户端IP 内网IP及外网IP

    在JSP里,获取客户端的IP地址的方法是:request.getRemoteAddr() ,这种方法在大部分情况下都是有效的.但是在通过了Apache,Squid等反向代理软件就不能获取到客户端的真实 ...

随机推荐

  1. 又一次发现Oracle太美之glogin.sql

    又一次发现Oracle太美之glogin.sql 刚開始接触Oracle的时候,有时候一登陆一个生产环境.常常会出现以下的情况: [oracle@rh64 app]$ sqlplus / as sys ...

  2. java中字符串编码转换

    Java 正确的做字符串编码转换 字符串的内部表示? 字符串在java中统一用unicode表示( 即utf-16 LE) , 对于 String s = "你好哦!"; 如果源码 ...

  3. python中类的定义、实例化、封装以及私有变量/方法

    1.  定义类 python中定义一个类的格式如下: class MyClass(object): def __init__(self,data1,data2): self.__data1=data1 ...

  4. C# web api 中过滤器的使用

    一.开篇 Fiter在Web API中经常会用到,主要用于记录日志,安全验证,全局错误处理等:Web API提供两种过滤器的基本类型:actionfilterattribute,exceptionfi ...

  5. struts2学习之基础笔记1

    第6章 Strusts 2框架 1  引出 Web App  àà MVC  àà View 视图(jsp,html,JS) | C(Servlet)Filter,Listneer | M(数据bea ...

  6. React router内是如何做到监听history改变的

    问题背景 今天面试的时候,被问到这么个问题.在html5的history情况下,pushstate和replacestate是无法触发pushstate的事件的,那么他是怎么做到正确的监听呢?我当时给 ...

  7. js 数据类型判断

    判断type类型 isString (o) { //是否字符串 return Object.prototype.toString.call(o).slice(8, -1) === 'String' } ...

  8. java8 Lambad表达式自己的例子

    service层方法 public <E> E outer(Function<Session, E> function) { return dao.outer(function ...

  9. 使用JS&jQuery改善用户体验

    第一章  JavaScript基本语法 一.运算符 运算符就是完成操作的一系列符号,它有七类: 赋值运算符(=,+=,-=,*=,/=,%=,<<=,>>=,|=,&= ...

  10. 深入分析C++虚函数表

    C++中的虚函数(Virtual Function)是用来实现动态多态性的,指的是当基类指针指向其派生类实例时,可以用基类指针调用派生类中的成员函数.如果基类指针指向不同的派生类,则它调用同一个函数就 ...