I’m trying to get my ip address.
Here is the code, the getClientIp() method uses a $_SERVER['REMOTE_ADDR'] global variable internally, so $request->getClientIp() and $_SERVER['REMOTE_ADDR'] are the same.
<?php
use SymfonyComponentHttpFoundationRequest;
$request = Request::createFromGlobals();
Http::response('IP address:' . $request->getClientIp())->json();
I have php deployed in docker on my local machine. So I send a request to localhost
http://localhost/api/v1/ip_address
and get a response.
{
"message": "IP address:172.ХХ.Х.Х", // I replaced my ip numbers with x.
"data": []
}
But there is a problem, the ip address that I get is different from the ip address that applications like "get my ip" give me.
You can just open Google and type in the search "find out my ip online" or "what is my ip" and they will give the correct ip, but the ip that I get from php is not.
I think this is due to the fact that I am making a request to my own computer, and not to a remote server. Can anyone explain why this is happening and if I can get around it?
Update:
From php I get the internal ip address because it starts with 172.X.X…
4
Answers
"I think this is due to the fact that I am making a request to my own computer, and not to a remote server."
You kinda answered your own question here 😉
Because you are running it locally you see your private IP address
If you want to find your public ip adress check out this post
You can only get the IP address the request comes from.
If you make a request to the same computer then you probably use a loopback IP address like
127.0.0.1or::1.If you make a request to a computer on the same LAN then you’ll probably use an IP address in a private address ranger.
If you make a request to a computer on the Internet then you’ll probably relay the request through a router providing NAT and, as far as the server is concerned, the request will come from the routers Internet facing IP address.
You can’t tell what IP addresses might be a assigned to a computer but which weren’t used to make the request.
The closest you could come would be to make requests which require the use of other IPs.
e.g. explicitly to an IPv4 address and to an IPv6 address and then you could have one of the IPv4 addresses and one of the IPv6 addresses (if there are any). Likewise have a request made to a IP address explicitly on the Internet and not on the local network to get an Internet facing address.
Your PHP app has no clue about your public IP as it is in the private network. Public IP is assigned to you by your ISP/Router. Router NATs the private IPs so only 1 IP is allocated to your private network.
"What is my IP" website is in the public internet, so it sees your public IP and it has no clue about your 172.xxx.xxx.xxx IP. Router takes care of the translation.
So, from within the app, you will always get your private IP.
If from within your app, you need to know your public IP for what ever reason, you may call the API provided by ipify.org.
For more details on how NAT works
Reference:
https://www.geeksforgeeks.org/network-address-translation-nat/
The
$_SERVER['HTTP_CLIENT_IP']appear mostly synonymous with very little difference with$_SERVER['REMOTE_ADDR']– I’m not a PHP Expert but they’re both fairly reliable and will help for a single use-case for direct traffic communications. Obtaining the Real-IP is a special task that is kind of important but there are a couple additional factors to consider depending on your with your design and how to properly obtain the IP address depending on the setup.You’re reaching your host from your local machine so private IP addresses will be shown since there’s no additional hops identified.
i. Typically a Public IP address can be found when your service is reached over the internet.
Are you directly exposing the service
i. when you directly expose the device, yes you can obtain the IP directly. However, you’re at the mercy of your own secure code.
Are you adding any technologies to your design such as a Reverse-Proxy system such as NGINX and / or protections technologies such as a WAF (CloudFlare / Barracuda / Azure / AWS ALB/ELB)
i. You’ll have to understand that the Remote Address input will then become unreliable as a client IP because these devices will have the Remote IP Address represent the device as it faces your service from the host that forwarded the traffic. You’ll have to rely on X-Forwarded-For (
$_SERVER['HTTP_X_FORWARDED_FOR']) Headers in addition to considerations for secure coding practices using X-Forwarded-For. Just keep in mind these can generally be forged headers from a threat actor perspective. It’s important to use Network ACLs to strictly traffic shape and only allow your trusted technology to establish direct connections to your system in this system.ii. Capturing IP: Your Host <- log x-forwarded-for -> Intermediary Host <- will log Client IP -> Remote IP
iii. Network ACL: Your Host <- Allow only intermediary -> Intermediary Host <- Allow Any(Separate from Authenticated at app layer) -> Remote IP
Then you’ll have to reconcile your logs in Splunk or whatever you’re requiring these correlations to take place in that provides the Real-IP from whichever source you’re receiving the traffic.