slam / psr7-get-client-ip
Retrieve Client IP from a ServerRequestInterface
Fund package maintenance!
Slamdunk
paypal.me/filippotessarotto
Installs: 3 224
Dependents: 0
Suggesters: 0
Security: 0
Stars: 2
Watchers: 2
Forks: 0
Open Issues: 1
Requires
- php: ~8.3.0 || ~8.4.0
- psr/http-message: ^1.1 || ^2.0
Requires (Dev)
- infection/infection: ^0.29.6
- laminas/laminas-diactoros: ^3.4.0
- phpstan/phpstan: ^1.12.4
- phpstan/phpstan-phpunit: ^1.4.0
- phpunit/phpunit: ^11.3.6
- slam/php-cs-fixer-extensions: ^3.12.0
This package is auto-updated.
Last update: 2024-12-21 10:13:12 UTC
README
Installation
composer require slam/psr7-get-client-ip
Motivation & Usage
Knowing the client's IP is needed to distinguish between bad and good actors, and take appropriate countermeasures. In IPv4 protocol it's an easy job (or it should be https://adam-p.ca/blog/2022/03/x-forwarded-for/):
- If the actor is good, you take its IPv4 and stick its session to it, so to mitigate session hijacking.
- If the actor is bad, you ban its IPv4.
In IPv6 protocol it's a different story though: routers default implementation allow each client to choose and change
their IP within the subnet, which is at least /64
. Rate-limiting and banning must take this into consideration, see
https://adam-p.ca/blog/2022/02/ipv6-rate-limiting/
The best approach is still in debate; this library takes the following approach:
- If the actor is good, the full IPv6 ir returned
- If the actor is bad, the
/64
relative subnet is returned
$request = new ServerRequest([ 'REMOTE_ADDR' => '1.2.3.4', ]); var_dump((new Psr7GetClientIp())->forGoodList($request)); // '1.2.3.4' var_dump((new Psr7GetClientIp())->forNaughtyList($request)); // '1.2.3.4' $request = new ServerRequest([ 'REMOTE_ADDR' => '2013:b0a7:5d31:fd03:7257:ae71:6cb9:8e1d', ]); var_dump((new Psr7GetClientIp())->forGoodList($request)); // '2013:b0a7:5d31:fd03:7257:ae71:6cb9:8e1d' var_dump((new Psr7GetClientIp())->forNaughtyList($request)); // '2013:b0a7:5d31:fd03::/64'