Is there a way to find IP address?

Discussion in 'Python' started by Lad, Sep 13, 2006.

  1. Lad

    Lad Guest

    Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
    If a user is behind a proxy, I will log proxy's IP address only.
    Is there a way how to find a real IP user's address?
    Thank you for help.
    LL.
     
    Lad, Sep 13, 2006
    #1
    1. Advertising

  2. Lad wrote:

    > Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
    > If a user is behind a proxy, I will log proxy's IP address only.
    > Is there a way how to find a real IP user's address?


    os.environ["HTTP_X_FORWARDED_FOR"]

    (but that can easily be spoofed, and is mostly meaningless if the user
    uses local IP addresses at the other side of the proxy, so you should
    use it with care)

    </F>
     
    Fredrik Lundh, Sep 13, 2006
    #2
    1. Advertising

  3. Lad

    Lad Guest

    Fredrik Lundh wrote:
    > Lad wrote:
    >
    > > Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
    > > If a user is behind a proxy, I will log proxy's IP address only.
    > > Is there a way how to find a real IP user's address?

    >
    > os.environ["HTTP_X_FORWARDED_FOR"]
    >
    > (but that can easily be spoofed, and is mostly meaningless if the user
    > uses local IP addresses at the other side of the proxy, so you should
    > use it with care)
    >
    > </F>

    Hello Fredrik,
    Thank you for your reply.
    How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
    address is not possible change.
    Thank you for your reply
    L.
     
    Lad, Sep 15, 2006
    #3
  4. Lad

    Tim Roberts Guest

    "Lad" <> wrote:
    >
    >Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
    >If a user is behind a proxy, I will log proxy's IP address only.
    >Is there a way how to find a real IP user's address?


    Not reliably, but why would you want to? That IP address is not reachable
    from your server anyway.
    --
    - Tim Roberts,
    Providenza & Boekelheide, Inc.
     
    Tim Roberts, Sep 15, 2006
    #4
  5. On 09/15/2006 Lad wrote:
    > How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
    > address is not possible change.


    Because it is a header that is added by the proxy. This header has (or
    should have) no role in the proces of relaying the request by the proxy.
    It is just politely added by the proxy to make it possible to identify
    for who the request is forwarded. So the proxy might add anything it
    likes, or nothing at all if it is an anonymizing proxy.

    Winfried
     
    Winfried Tilanus, Sep 15, 2006
    #5
  6. Lad

    Tim Roberts Guest

    "Lad" <> wrote:
    >Fredrik Lundh wrote:
    >> Lad wrote:
    >>
    >> > Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
    >> > If a user is behind a proxy, I will log proxy's IP address only.
    >> > Is there a way how to find a real IP user's address?

    >>
    >> os.environ["HTTP_X_FORWARDED_FOR"]
    >>
    >> (but that can easily be spoofed, and is mostly meaningless if the user
    >> uses local IP addresses at the other side of the proxy, so you should
    >> use it with care)
    >>

    >Hello Fredrik,
    >Thank you for your reply.
    >How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
    >address is not possible change.


    No, but HTTP headers are just text. A client can put whatever it wants in
    them.
    --
    - Tim Roberts,
    Providenza & Boekelheide, Inc.
     
    Tim Roberts, Sep 17, 2006
    #6
  7. Lad

    Damjan Guest

    >> Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
    >> If a user is behind a proxy, I will log proxy's IP address only.
    >> Is there a way how to find a real IP user's address?

    >
    > os.environ["HTTP_X_FORWARDED_FOR"]
    >
    > (but that can easily be spoofed, and is mostly meaningless if the user
    > uses local IP addresses at the other side of the proxy, so you should
    > use it with care)


    Yep, you should only use "HTTP_X_FORWARDED_FOR" if you trust the proxy and
    you check that the request is indeed coming from it
    (if environ["REMOTE_ADDR"] in proxy_list).


    --
    damjan
     
    Damjan, Sep 17, 2006
    #7
  8. Lad

    Damjan Guest


    >> > Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
    >> > If a user is behind a proxy, I will log proxy's IP address only.
    >> > Is there a way how to find a real IP user's address?

    >>
    >> os.environ["HTTP_X_FORWARDED_FOR"]
    >>
    >> (but that can easily be spoofed, and is mostly meaningless if the user
    >> uses local IP addresses at the other side of the proxy, so you should
    >> use it with care)


    > How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
    > address is not possible change.


    I can setup my browser to always send you a fake HTTP_X_FORWARDED_FOR
    header.



    --
    damjan
     
    Damjan, Sep 17, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. rubikzube*
    Replies:
    4
    Views:
    866
    Gordon Beaton
    Feb 26, 2007
  2. ralderton
    Replies:
    0
    Views:
    378
    ralderton
    May 10, 2009
  3. Wybo Dekker
    Replies:
    1
    Views:
    365
    Yukihiro Matsumoto
    Nov 15, 2005
  4. Mounir
    Replies:
    2
    Views:
    110
  5. vdvorkin
    Replies:
    0
    Views:
    413
    vdvorkin
    Feb 10, 2011
Loading...

Share This Page