Wednesday, September 2, 2015

A few thoughts about how to obtain the IP address of the client in ASP.NET

Added 11:17 AM,

Getting the IP-address of the client - this is probably one of the most interesting and controversial issues, not only in ASP.NET, but in general web development. Options for how to do a few, and each method has both supporters and opponents. I'll try to tell you about these options, how they differ from each other and that it is better to use.


Thus, the most widely known in the world of ASP.NET way of getting IP-address of the client - is the use ofHttpContext.Current.Request.UserHostAddress, which is essentially a wrapper over the HTTP headers REMOTE_ADDR, which stores the address of the host server from which the request came. And this title is used in almost all programming languages, for the purposes of determining the client's IP. And everywhere tense debate whether to use it. Why is that? Because REMOTE_ADDR contains the address of the computer that created the connection to the server. During the time of formation of the Internet and the emergence of HTTP protocol ethics computer is almost certainly a client, so all was well. Now, in most cases, in REMOTE_ADDR will address a proxy server on the internal network (corporate or home - meaning it does not change) which has passed through the client's request.
Another example with which most often encountered Linux programmers, resulting in crooked configured nginx. ;)
Imagine that you have a crooked customized load balancer. In this case, REMOTE_ADDR is 10.10.0.2, which naturally did not address the client.



In general, it is because of these two points about REMOTE_ADDR, many recommend the use for the purposes of customer address another title - HTTP_X_FORWARDED_FOR, invented at the time the creators of the caching proxy server Squid.
This headline should ideally include the entire chain of IP-addresses from the client to your server, separated by commas. Why ideal? Because, firstly, the title is transmitted by the client, that is, it can write anything you like, such as "la-la-la", with the result that, if the villainous klientgm between your server and a proxy,
HTTP_X_FORWARDED_FOR will contain something like:

la-la-la, 192.168.0.10

So, as you probably guessed, use this header as often recommend the Internet can not. Forget about this option:

?
1
2
3
4
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">if (HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null)</span> if (HttpContext.Current.Request.ServerVariables ["HTTP_X_FORWARDED_FOR"]! = null)</span>
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">{</span> {</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">return HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"].ToString();</span> return HttpContext.Current.Request.ServerVariables ["HTTP_X_FORWARDED_FOR"]. ToString ();</span>
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">}</span> }</span>

Firstly, there can be anything, not necessarily IP-address. And secondly, because contain the real IP-address of the client in its pure form, this title will be only if the client and you have only one proxy and the client has a normal full IP.

In 99.9% of cases, this will be the address of the private subnet 192.168. *. * So, if you decided to use the HTTP_X_FORWARDED_FOR, then at least check that there is generally IP-address and from which he IP-range.

?
1
2
3
4
5
6
7
8
9
10
11
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">string ipAddr = HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"].ToString();</span> string ipAddr = HttpContext.Current.Request.ServerVariables ["HTTP_X_FORWARDED_FOR"]. ToString ();</span>
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">if</span> if</span> (Regex.IsMatch(ipAddr,"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"))
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">{</span> {</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">if (!(ipAddr.StartsWith("192.168.")||(ipAddr.StartsWith("10.")))</span> if (! (ipAddr.StartsWith ("192.168.") || (ipAddr.StartsWith ("10".)))</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">{</span> {</span>
       <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">return ipAddr;</span> return ipAddr;</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">}</span> }</span>
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">}</span> }</span>
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">return HttpContext.Current.Request.UserHostAddress;</span> return HttpContext.Current.Request.UserHostAddress;</span>

If HTTP_X_FORWARDED_FOR Contains multiple addresses, then I recommend the use of a second, since the first address virtually guaranteed to be from the internal subnet. And, of course, do not forget to check the contents.
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">string ipAddr = HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"].ToString();</span> string ipAddr = HttpContext.Current.Request.ServerVariables ["HTTP_X_FORWARDED_FOR"]. ToString ();</span>
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">if (!string.IsNullOrEmpty(ipAddr))</span> if (! string.IsNullOrEmpty (ipAddr))</span>
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">{</span> {</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">string[] addresses = ipAddr.Split(',');</span> string [] addresses = ipAddr.Split (',');</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">if (addresses.Length == 1)</span> if (addresses.Length == 1)</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">{</span> {</span>
        <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">ipAddr = addresses[0];</span> ipAddr = addresses [0];</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">}</span> }</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">else if (addresses.Length >1)</span> else if (addresses.Length> 1)</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">{</span> {</span>
               <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">ipAddr = addresses[1];</span> ipAddr = addresses [1];</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">}</span> }</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">if</span> if</span> (Regex.IsMatch(ipAddr,"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"))
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">{</span> {</span>
        <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">if (!(ipAddr.StartsWith("192.168.")||(ipAddr.StartsWith("10."))))</span> if (! (ipAddr.StartsWith ("192.168.") || (ipAddr.StartsWith ("10."))))</span>
        <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">{</span> {</span>
            <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">return ipAddr;</span> return ipAddr;</span>
        <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">}</span> }</span>
    <span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">}</span> }</span>
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">}</span> }</span>
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">return HttpContext.Current.Request.UserHostAddress;</span> return HttpContext.Current.Request.UserHostAddress;</span>

So it is here such code, in my opinion, is the most appropriate one for determining the IP address of the client. Though, I think, in most cases, still enough Request.UserHostAddress or Request.ServerVariables ["REMOTE_ADDR"].

Well, if you get the client IP, for safety reasons, for example to check the validity of the session, the most appropriate in this case would be the simplest solution - to compare all there is, for example in the form of a simple string:
?
1
<span class="notranslate" onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">string ipAddrForSecurity =</span> string ipAddrForSecurity =</span> HttpContext.Current.Request.UserHostAddress+HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"].ToString();

By Unknown with No comments

0 коммент.:

Post a Comment