0x01 Let’s start with a question
In the test environment, the wechat payment channel indicates that the network environment fails to pass the security verification, please try again later. In this case, we first think that there may be inconsistency between the wechat party’s participation in the network interaction between the two parties, so we checked the manual to confirm that this is the problem and started the investigation
-
The method for obtaining the real IP address may be incorrect
getenv('HTTP_CLIENT_IP')getenv('HTTP_X_FORWARDED_FOR')getenv('REMOTE_ADDR')filter_var($remote_ip, FILTER_VALIDATE_IP)- Have been obtained and filtered in sequence
- There is no problem with the solid program. It diverges upwards
-
Reverse proxy Or not
After the reverse proxy, due to the increased the intermediary between the client and a web server, web server, therefore, cannot directly to the client’s IP, only through $remote_addr variables get will be the IP address of the reverse proxy server, check there is no such a problem,, is good at network communication engineering classmates said never throw in the towel
-
NAT may allocate egress IP addresses, or the load balancing service may be abnormal
- First get my local Intranet and extranet IP to facilitate troubleshooting later
# the native IP ifconfig | grep -A 1 "en" | grep broadcast | cut -d "" -f 2 # IP networks outside curl --silent http://icanhazip.com Copy the code- Check who is connecting to port 80
netstat -tn|grep 80|akw '{print $5}'|awk -F '{print $1}'| grep IP [local]Copy the codeRemote_addr = 10.168.0.0/16; remote_addr = 10.168.0.0/16
$remote_ADDR = $remote_addr = $remote_addr = $remote_addr = $remote_addr = $remote_addr = $remote_addr = $remote_addr = $remote_addr
0x02 LNMP stack Takes real IP
$_SERVER[‘REMOTE_ADDR’] includes fastcgi.conf; $_SERVER[‘REMOTE_ADDR’] includes fastcgi.conf; Import, which is equal to nginx’s $remote_addr
Several variables in Nginx:
-
$remote_addr
Icanhazip works the same way. When your browser visits a website, assuming there are no proxies in between, the site’s Web server will set remote_ADDR to your public network exposed IP address. If you use a proxy, your browser will visit the proxy and the proxy will forward it to the site, so that the Web server will set remote_ADDR to the proxy machine’s IP unless the proxy passes your IP along with the request header.
-
$proxy_add_x_forwarded_for
The $PROxy_ADD_X_forwarded_for variable contains the “X-Forwarded-for” and $remote_ADDR parts of the client’s request header, separated by a comma. X-forwarded-for (XFF For short) is an HTTP extension header. It is not defined in RFC 2616. Squid was originally introduced by the cache proxy software to represent the real IP address of the HTTP requestor. Today, it has become a de facto standard. It is widely used by HTTP proxies, load balancers and other forwarding services. It is incorporated into RFC 7239 (ForwardedHTTP Extension).
-
$proxy_set_header
As described in Troubleshooting, you can set the proxy header
proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; Copy the code -
X-Real-IP
A custom header field, such as X-real-IP, is usually used by an HTTP proxy to represent the IP address of the device with which the TCP connection is made. This device may be another proxy, or the actual requester, depending on the number of times the proxy hierarchy is passed or whether the Real IP is always passed down all the way. (Remember: anything passed by the client is not trusted)
When multi-layer proxy or CDN is used, if the proxy server does not pass the real IP address of the user, the server will never get the real IP address of the user.
0x03 Where is the Real IP address of the User
-
The broadband provider provides an independent IP address. For example, the home telecom allocates a public IP address for broadband Internet access. The IP path of a request is as follows:
In this case,
119.147.19.234We’ll get it116.1.2.3Attach the header message to10.168.0.0/32, so in this case, the user IP obtained is:116.1.2.3. if119.110.0.0/16Didn’t put the116.1.2.3If the additional information is sent to the service server, the service server can only obtain the UPPER-level IP address -
Broadband providers cannot provide independent IP
The broadband provider does not have enough public IP addresses and is assigned internal IP addresses, such as long and wide isp addresses. The request path might be as follows:
The resulting user IP in this case is 211.162.78.1. In this case, an IP pair may have dozens or hundreds of users
-
2g Mobile Internet
The network provider cannot directly provide IP to a single user terminal. Take cmWAP Internet access of China Mobile as an example, so the request path may be:
202.96.75.1
-
Companies with tens or hundreds of thousands of employees
In this case, there will also be a large number of users from the same IP address, which may reach tens of thousands of people, but the export IP may be only a few.
0x04 NAT [Network Address Translation]
Network Address translation, which allows an entire organization to appear on the Internet at a public IP address.
At the network layer (Layer 3) of the OSI reference model, NAT is a technique for translating internal private network addresses (IP addresses) into legitimate network IP addresses. NAT allows internal networks that use private addresses to connect to the Internet or other IP networks. The NAT router translates the private IP address into a valid IP address in the IP packet header when sending packets from the internal network to the public network.
RFC1918 specifies three private IP addresses for private internal networking
- Class A: 10.0.0.0 to 10.255.255.255 10.0.0.0/8
- Class B: 172.16.0.0 to 172.31.255.255 172.16.0.0/12
- Class C: 192.168.0.0-192.168.255.255 192.168.0.0/16
The three private addresses are routable, but the router on the public network will not forward the traffic from the three private addresses. When a company internal configuration after the private address, inside the computer in the communication, and the network companies will border routing through NAT or PAT technology, converting the internal private address into IP networks outside, outside to see the source address is the company’s border routing transformation of public IP addresses, this has increased the internal network in a sense of security
This process is implemented through local and global address mapping entries in the NAT, so such mapping entries must be configured on the NAT router.
Public IP
IP
0x05 IPV6 is coming?
At the time of writing this article, THERE is a post indicating that Alibaba has fully adopted IPV6, which is quite significant
We know that a standard IPv4 IP address consists of 4 X 8 = 32 binary digits, and there are theoretically 2^32 IP addresses. That’s 4,294,967,296,200 million IPv4 addresses.
According to the World Internet User Statistics report, there are approximately 4,208,571,287 people on the Internet, which means that they are close to the maximum number of IP addresses designed for ipv4 addresses
But don’t worry, NAT, mentioned earlier, makes it possible to get by even when you run out of IPv4 public IP.
With IPv6, the biggest improvement over IPv4 is that the number of digits has increased dramatically, to eight four-digit hexadecimal digits. That means 2^128 IPv6 addresses. There is enough for every grain of sand on earth
Storing 2^128 bytes What does that mean in theory? At today’s quantum level, assuming computing devices can operate at the atomic level and store about 10 ^ 25 bits per kilogram of mass, storing 2^128 bytes would take about 272 trillion = 2,720,000 trillion kilograms.
Finally, happy weekend, Beijing Unicom has supported ipv6, I tested in Wangjing, I can get ipv6 address