In different situations getting the real website visitor’s IP address can be tricky.
In PHP apps we can use $_SERVER server and execution environment information array variable, which may contains headers information that created by the Web Server.
In Fact there are many $_SERVER variable headers available for looking up the real visitor IP address. so we will trying to use this variable to trying obtain the most accurate Real Visitor IP address according to some situations like the following.
Situation 1: PHP APP Behind CloudFlare Proxy
Your Website is using CloudFlare Which works as a Revers Proxy Server.
CloudFare can pass The Real Visitor IP address in the Header: HTTP_CF_CONNECTING_IP.
Situation 2: PHP APP Behind Reverse Proxy
You are using your Own Reverse Proxy i.e. using Nginx as a Reverse proxy In front of Apache Web Server, so your website application can detect the Real visitor IP address using the Header: X-Forwarded-For. but what if your web application was behind a load balancer, or your proxy server may send the Visitor IP address in the Header: HTTP_X_CLUSTER_CLIENT_IP
Situation 3: Visitor Using Proxy
If the visitor using Proxy, the Header: HTTP-X-Forwarded-For, is the one to contain the originating IP, but If a visitor request goes through multiple proxies, then X-Forwarded-For may contain the complete track of the visitor IPs with multiple value separated by commas i.e. HTTP-X-Forwarded-For: clientIP, proxy1IP, proxy2IP.
Here’s the most used Headers to check Visitor Real IP Address.
HTTP_CLIENT_IP: Not all servers are implement this header value.
HTTP_CF_CONNECTING_IP: Provides the visitor IP address pass from CloudFlare to your Origin.
HTTP_X_FORWARDED_FOR: The X-Forwarded-For (XFF) HTTP header is now the common method for identifying the originating IP address of a client (visitor) connecting to a web server through an HTTP proxy or load balancer, in general the left-most being the original client else if you using CloudFlare check the right-most value.
REMOTE_ADDR: This might not be the real IP address from the client (visitor) if behind a reverse proxy.
$clientIP = '0.0.0.0';
// Check for Visitor Original Real IP
if (!empty($_SERVER['HTTP_CLIENT_IP']))
$clientIP = $_SERVER['HTTP_CLIENT_IP'];
elseif (!empty($_SERVER['HTTP_CF_CONNECTING_IP']))
# When useing Cloudflare
$clientIP = $_SERVER['HTTP_CF_CONNECTING_IP'];
// Check for IPs passing through proxies
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
// Check if multiple IP addresses exist in var
$mIP = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
if ($ip[0])
$clientIP=$ip[0];
}
// Check for IPs Passing throug clusters
elseif (!empty($_SERVER['HTTP_X_CLUSTER_CLIENT_IP']))
$clientIP = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
// Check for Standard Forwaded Headers
elseif (!empty($_SERVER['HTTP_X_FORWARDED']))
$clientIP = $_SERVER['HTTP_X_FORWARDED'];
elseif (!empty($_SERVER['HTTP_FORWARDED_FOR']))
$clientIP = $_SERVER['HTTP_FORWARDED_FOR'];
elseif (!empty($_SERVER['HTTP_FORWARDED']) )
$clientIP = $_SERVER['HTTP_FORWARDED'];
// Return unreliable IP address since all else failed
else $clientIP = $_SERVER['REMOTE_ADDR'];