Is there a way to find IP address?

[Lad]

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?
Thank you for help.
LL.

 

[Fredrik Lundh]

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

os.environ["HTTP_X_FORWARDED_FOR"]

(but that can easily be spoofed, and is mostly meaningless if the user
uses local IP addresses at the other side of the proxy, so you should
use it with care)

</F>

 

[Lad]

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

os.environ["HTTP_X_FORWARDED_FOR"]

(but that can easily be spoofed, and is mostly meaningless if the user
uses local IP addresses at the other side of the proxy, so you should
use it with care)

</F>

Hello Fredrik,
Thank you for your reply.
How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
address is not possible change.
Thank you for your reply
L.

 

[Tim Roberts]

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

Not reliably, but why would you want to? That IP address is not reachable
from your server anyway.

 

[Winfried Tilanus]

How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
address is not possible change.

Because it is a header that is added by the proxy. This header has (or
should have) no role in the proces of relaying the request by the proxy.
It is just politely added by the proxy to make it possible to identify
for who the request is forwarded. So the proxy might add anything it
likes, or nothing at all if it is an anonymizing proxy.

Winfried

 

[Tim Roberts]

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

os.environ["HTTP_X_FORWARDED_FOR"]

(but that can easily be spoofed, and is mostly meaningless if the user
uses local IP addresses at the other side of the proxy, so you should
use it with care)

Hello Fredrik,
Thank you for your reply.
How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
address is not possible change.

No, but HTTP headers are just text. A client can put whatever it wants in
them.

 

[Damjan]

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .

If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

os.environ["HTTP_X_FORWARDED_FOR"]

(but that can easily be spoofed, and is mostly meaningless if the user
uses local IP addresses at the other side of the proxy, so you should
use it with care)

Yep, you should only use "HTTP_X_FORWARDED_FOR" if you trust the proxy and
you check that the request is indeed coming from it
(if environ["REMOTE_ADDR"] in proxy_list).

 

[Damjan]

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

os.environ["HTTP_X_FORWARDED_FOR"]

(but that can easily be spoofed, and is mostly meaningless if the user
uses local IP addresses at the other side of the proxy, so you should
use it with care)

How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
address is not possible change.

I can setup my browser to always send you a fake HTTP_X_FORWARDED_FOR
header.