play1 icon indicating copy to clipboard operation
play1 copied to clipboard
verified publisher icon playframework

Request.remoteAddress returns multiple IP's where a client has used a proxy

Open Fraserhardy opened this issue 5 years ago • 1 comments

Play Version

1.5.3

Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)

Ubuntu

JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)

JDK 8

Expected Behavior

Request.remoteAddress should only return one IP address of the client's IP.

Actual Behavior

In cases where a request has made multiple 'hops' through proxies, and a x-forwarded-for header has been populated with the client IP plus the proxy addresses as per the specification (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) e.g X-Forwarded-For: , , then calling Request.remoteAddress actually returns a comma separated list rather than a single IP address.

Fraserhardy avatar Jul 29 '20 12:07 Fraserhardy

@Fraserhardy The problem is that it's not possible to detect which one of x-forwarded-for is the real client IP. You might think that "the first one", but user can also add his own x-forwarded-for header with arbitrary value. It has been a way to bypass IP checks for many hackers.

At the moment, the safest way is to log all IP addresses. Well, actually it depends on the usage. What for do you need this IP?

asolntsev avatar Jul 29 '20 19:07 asolntsev