Public vs. Private IP Addresses

Introduction

If your mobile/computer/device directly access to a website, your IP address is public.
Usually your IP address is a public IP address.

If you access to a website through medial software/app/device, or proxy, VPN services, then your real IP address is replaced with another IP, and it can be private/protected.

“Public” means your IP address can be reached from the Internet, while “private” means it can’t.

PHP get Public IP Addresses

$Public_IP_Address = $_SERVER[‘REMOTE_ADDR’];

PHP get Private IP Addresses

if ( ! empty( $_SERVER[‘HTTP_CLIENT_IP’] ) ) {
$Real_IP_Address = $_SERVER[‘HTTP_CLIENT_IP’];
} elseif ( ! empty( $_SERVER[‘HTTP_X_FORWARDED_FOR’] ) ) {
$Real_IP_Address = $_SERVER[‘HTTP_X_FORWARDED_FOR’];
} elseif (isset($_SERVER[“HTTP_CF_CONNECTING_IP”])) {
$Real_IP_Address = $_SERVER[“HTTP_CF_CONNECTING_IP”];
} else {
$Real_IP_Address = trim($_SERVER[‘REMOTE_ADDR’]);
}

PHP get HOST NAME & SERVER_NAME when server is running behind the proxy

$_SERVER['HTTP_HOST'] is contents of the Host: header from the current request, if there is one. It give you host information obtained from the HTTP request header and this is what the client actually used as "target host" of the request.

$_SERVER['SERVER_NAME'] is the name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host. It normally returns the same result as $_SERVER['HTTP_HOST'], but is defined in server config.

HTTP_X_FORWARDED_HOST is used to pass the hostname that the client requested along to the proxied server. It's added by proxies to record the originating client request.

Thus if you server is running behind the proxy, then should use $_SERVER['HTTP_X_FORWARDED_HOST'] and $_SERVER['HTTP_X_FORWARDED_SERVER'] in place of $_SERVER['HTTP_HOST'] and $_SERVER['SERVER_NAME'].


<?php
$host_name = isset($_SERVER['HTTP_X_FORWARDED_HOST']) ?
$_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER('HTTP_HOST');
$server_name = isset($_SERVER['HTTP_X_FORWARDED_SERVER']) ?
$_SERVER['HTTP_X_FORWARDED_SERVER'] : $_SERVER('SERVER_NAME');

NOTE: An end-user or spambot can spoof X_FORWARDED_HOST, so you have to be careful about the assumptions to make with it.

What’s the variable HTTP_X_FORWARDED_HOST?

HTTP_X_FORWARDED_HOST

HTTP_X_FORWARDED_HOST is used to pass the hostname that the client requested along to the proxied server. It’s added by proxies to record the originating client request.

HTTP_X_FORWARDED_HOST is used when there is a proxy (or multiple proxies) between the browser and your server. If you have this setup:

End User -> ProxyA -> ProxyB -> Server

Then, when end-user makes a request (with a host header), ProxyA will receive it. It will set its own host, then put the end-user host into X_FORWARDED_HOST before making the request to ProxyB. ProxyB will do the same, appending ProxyA’s host onto X_FORWARDED_HOST (so the header will look like EndUserHost, ProxyAHost) and setting its own host. Your server will then receive a request with ProxyB’s host header, and an X_FORWARDED_HOST header that has a value that looks like “EndUserHost, ProxyAHost”.

NOTE: An end-user can spoof X_FORWARDED_HOST, so you have to be careful about the assumptions to make with it.

Apache's mod_proxy

Apache’s mod_proxy code inserts the HTTP_X_FORWARDED_HOST header for the originating host.

modules/proxy/mod_proxy_http.c


/* Add X-Forwarded-Host: so that upstream knows
 * what the original request hostname was.
 */
if ((buf = apr_table_get(r->headers_in, "Host"))) {
apr_table_mergen(r->headers_in, "X-Forwarded-Host", buf);
}