[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


PHP working behind proxies.

Published on
9,073 Points
1 Endorsement
Last Modified:
Chris Gralike
Not too political, always looking for the best advice or solution, and if need be using a pragmatic approach.
When coding behind a proxy there are some challenges when it comes to user management and sessions management. Also many people think that when they are behind a proxy they cant be traced. Well to be clear, there are no secrets when it comes to IP information.

Many applications i viewed are 9/10 times using $_SERVER['remote_addr'] to find the visiting client IP address. In most cases this will work as designed up till the point the application is put behind a proxy. In this situation the logged IP address will always be the one held by the proxy server.

Luckily every proxy server will add a new headers we can utilize to find the IP held be the client. These header are respectively;

"HTTP_X_FORWARDED_FOR"  Contains the remote client IP for which the forward was performed.
"HTTP_X_FORWARDED_HOST" Contains the address of the responsible proxy server.
"HTTP_X_FORWARDED_SERVER" Contains the FQDN of the responsible proxy server.

When using these header in conjunction with the allready much utilized "REMOTE_ADDR" we can easly define a function to fetch the true remote address, even when being accessed through a proxy.

function getRemoteIP(){
	$xFor    = (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : false;
	$xHost   = (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : false;
    $rAddr   = (isset($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : false;	
		return ($xFor != $rAddr) ? $xFor : $rAddr;
		return $rAddr;
echo getRemoteIP();

Open in new window

How to find the visitors IP address?

Always consider the fact that you, the visitor of any other daemon or bot might be using proxies in an attempt to conceal them selfs. When your applications policy is not to allow this, then you might also utilize these headers to block these connection attempts and or generate warnings.

Hope these headers will help you make better and more secure applications ;-)


Featured Post

OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Join & Write a Comment

Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month