How can I get the clients IP address from HTTP headers?

Question

I understand it's a standard practice to look at both these variables. Of course they can easily be spoofed. I'm curious how often can you expect these values (especially the HTTP_X_FORWARDED_FOR) to contain genuine information and not just be scrambled or have their values stripped away?

Anyone with the experience or statistics on this stuff?

Is there anything else that can be useful for the task of getting the client's IP address?

Note the question and answers both use HTTP_ prefix which is a particular implementation detail of ASP.NET v1.0-v4.x, when HTTP request headers are added to ServerVariables collection. Another example is REMOTE_ADDR, which has it's own API in ASP.NET Core. https://stackoverflow.com/questions/28664686/how-do-i-get-client-ip-address-in-asp-net-core — yzorg, Dec 11 '17 at 14:24
The HTTP header name is `X-FORWARDED-FOR`. This question should have specified the language/framework as some have their own convention for internal HTTP header names. For example, PHP uses `HTTP_X_FORWARDED_FOR`. — John Hanley, May 10 '23 at 00:26

score 65 · Answer 1 · edited Jan 26 '10 at 18:44

65

In addition to REMOTE_ADDR and HTTP_X_FORWARDED_FOR there are some other headers that can be set such as:

HTTP_CLIENT_IP
HTTP_X_FORWARDED_FOR can be comma delimited list of IPs
HTTP_X_FORWARDED
HTTP_X_CLUSTER_CLIENT_IP
HTTP_FORWARDED_FOR
HTTP_FORWARDED

I found the code on the following site useful:
http://www.grantburton.com/?p=97

edited Jan 26 '10 at 18:44

Jeff Atwood

63,320
48
150
153

answered May 27 '09 at 14:47

ejunker

10,816
11
41
41

Is this list somehow complete, meaning is it covering over 90% of all proxies? – basZero Jan 10 '14 at 17:13
8

I don't think those headers should have the HTTP_ prefix...a little searching turned up http://stackoverflow.com/questions/3834083/http-headers-what-is-the-difference-between-x-forwarded-for-x-forwarded-for-a – lmsurprenant Apr 01 '14 at 18:34
There is also a Referer now, as per [RFC 7239](https://tools.ietf.org/html/rfc7239) – Kevin Doyon Dec 04 '15 at 21:50

score 32 · Accepted Answer · answered Feb 09 '09 at 10:41

It depends on the nature of your site.

I happen to work on a bit of software where IP tracking is important, and within a field consumed by parter sites I'd guess some 20% - 40% of requests are either detectably spoofed IPs or headers blanked out, depending on the time of day and where they came from. For a site which gets organic traffic (i.e. not through partners) I'd expect a much higher ratio of good IPs.

As Kosi said, be careful what you're doing with this - IPs are in no way a reliable way to identify unique visitors.

score 10 · Answer 3 · edited Dec 04 '15 at 23:21

I've ported Grant Burton's PHP code to an ASP.Net static method callable against the HttpRequestBase. It will optionally skip through any private IP ranges.

public static class ClientIP
{
    // based on http://www.grantburton.com/2008/11/30/fix-for-incorrect-ip-addresses-in-wordpress-comments/
    public static string ClientIPFromRequest(this HttpRequestBase request, bool skipPrivate)
    {
        foreach (var item in s_HeaderItems)
        {
            var ipString = request.Headers[item.Key];

        if (String.IsNullOrEmpty(ipString))
            continue;

        if (item.Split)
        {
            foreach (var ip in ipString.Split(','))
                if (ValidIP(ip, skipPrivate))
                    return ip;
        }
        else
        {
            if (ValidIP(ipString, skipPrivate))
                return ipString;
        }
    }

    return request.UserHostAddress;
}

private static bool ValidIP(string ip, bool skipPrivate)
{
    IPAddress ipAddr;

    ip = ip == null ? String.Empty : ip.Trim();

    if (0 == ip.Length
        || false == IPAddress.TryParse(ip, out ipAddr)
        || (ipAddr.AddressFamily != AddressFamily.InterNetwork
            && ipAddr.AddressFamily != AddressFamily.InterNetworkV6))
        return false;

    if (skipPrivate && ipAddr.AddressFamily == AddressFamily.InterNetwork)
    {
        var addr = IpRange.AddrToUInt64(ipAddr);
        foreach (var range in s_PrivateRanges)
        {
            if (range.Encompasses(addr))
                return false;
        }
    }

    return true;
}

/// <summary>
/// Provides a simple class that understands how to parse and
/// compare IP addresses (IPV4) ranges.
/// </summary>
private sealed class IpRange
{
    private readonly UInt64 _start;
    private readonly UInt64 _end;

    public IpRange(string startStr, string endStr)
    {
        _start = ParseToUInt64(startStr);
        _end = ParseToUInt64(endStr);
    }

    public static UInt64 AddrToUInt64(IPAddress ip)
    {
        var ipBytes = ip.GetAddressBytes();
        UInt64 value = 0;

        foreach (var abyte in ipBytes)
        {
            value <<= 8;    // shift
            value += abyte;
        }

        return value;
    }

    public static UInt64 ParseToUInt64(string ipStr)
    {
        var ip = IPAddress.Parse(ipStr);
        return AddrToUInt64(ip);
    }

    public bool Encompasses(UInt64 addrValue)
    {
        return _start <= addrValue && addrValue <= _end;
    }

    public bool Encompasses(IPAddress addr)
    {
        var value = AddrToUInt64(addr);
        return Encompasses(value);
    }
};

private static readonly IpRange[] s_PrivateRanges =
    new IpRange[] { 
            new IpRange("0.0.0.0","2.255.255.255"),
            new IpRange("10.0.0.0","10.255.255.255"),
            new IpRange("127.0.0.0","127.255.255.255"),
            new IpRange("169.254.0.0","169.254.255.255"),
            new IpRange("172.16.0.0","172.31.255.255"),
            new IpRange("192.0.2.0","192.0.2.255"),
            new IpRange("192.168.0.0","192.168.255.255"),
            new IpRange("255.255.255.0","255.255.255.255")
    };


/// <summary>
/// Describes a header item (key) and if it is expected to be 
/// a comma-delimited string
/// </summary>
private sealed class HeaderItem
{
    public readonly string Key;
    public readonly bool Split;

    public HeaderItem(string key, bool split)
    {
        Key = key;
        Split = split;
    }
}

// order is in trust/use order top to bottom
private static readonly HeaderItem[] s_HeaderItems =
    new HeaderItem[] { 
            new HeaderItem("HTTP_CLIENT_IP",false),
            new HeaderItem("HTTP_X_FORWARDED_FOR",true),
            new HeaderItem("HTTP_X_FORWARDED",false),
            new HeaderItem("HTTP_X_CLUSTER_CLIENT_IP",false),
            new HeaderItem("HTTP_FORWARDED_FOR",false),
            new HeaderItem("HTTP_FORWARDED",false),
            new HeaderItem("HTTP_VIA",false),
            new HeaderItem("REMOTE_ADDR",false)
    };
}

Thanks for the code. There are a couple of problems with it, though. First, there is an extra `return false;` in `ValidIP`. Second, the IpRange class doesn't really handle IPV6 since IPV6 addresses are 128 bits. Maybe `System.Numerics.BigInteger` from .NET 4 could be used, but it's also possible private ranges are less interesting with IPV6 anyway (?). — Eric Smith, Sep 07 '12 at 14:51
Oh, and one other problem: Instead of checking headers from request.Headers, I think you want request.ServerVariables. The latter has keys like `HTTP_X_FORWARDED_FOR` whereas the former would just be `X-Forwarded-For`. — Eric Smith, Sep 12 '12 at 23:23
Would be great if this also supported [RFC 7239](https://tools.ietf.org/html/rfc7239) :D — Kevin Doyon, Dec 04 '15 at 21:40
@Kevin do you implement `code` for supports ***RFC 7239*** ? — Kiquenet, Nov 15 '16 at 11:49

score 7 · Answer 4 · answered Feb 09 '09 at 10:28

No real answer to your question but:
Generally relying on the clients IP address is in my opinion not a good practice as it is not usable to identify clients in a unique fashion.

Problems on the road are that there are quite a lot scenarios where the IP does not really align to a client:

Proxy/Webfilter (mangle almost everything)
Anonymizer network (no chance here either)
NAT (an internal IP is not very useful for you)
...

I cannot offer any statistics on how many IP addresses are on average reliable but what I can tell you that it is almost impossible to tell if a given IP address is the real clients address.

Which is `best practices` to *identify clients in a unique fashion* ? ***Checklist***: _Not use clients IP address_ — Kiquenet, Nov 15 '16 at 11:51

score 2 · Answer 5 · answered Feb 09 '09 at 12:02

2

IP + "User Agent" could be a better for unique visitor.

answered Feb 09 '09 at 12:02

Mahesh

1,754
7
36
54

nah, user agents aren't very diverse and widely spoofed anyway – annakata Feb 10 '09 at 20:20
6

widely spoofed, but generally they don't change from request to request - http://panopticlick.eff.org/ – wprl Feb 22 '10 at 22:15

score 1 · Answer 6 · edited Oct 07 '21 at 07:13

If you're behind a proxy, you should use X-Forwarded-For: http://en.wikipedia.org/wiki/X-Forwarded-For

It is an IETF draft standard with wide support:

The X-Forwarded-For field is supported by most proxy servers, including Squid, Apache mod_proxy, Pound, HAProxy, Varnish cache, IronPort Web Security Appliance, AVANU WebMux, ArrayNetworks, Radware's AppDirector and Alteon ADC, ADC-VX, and ADC-VA, F5 Big-IP, Blue Coat ProxySG, Cisco Cache Engine, McAfee Web Gateway, Phion Airlock, Finjan's Vital Security, NetApp NetCache, jetNEXUS, Crescendo Networks' Maestro, Web Adjuster and Websense Web Security Gateway.

If not, here are a couple other common headers I've seen:

X-Client-IP (Apache)
X-Real-IP (Nginx)

score -1 · Answer 7 · answered May 22 '19 at 10:26

Call the Below Action Method from your JS file (To get the ipv4 ip address).

    [HttpGet]
    public string GetIP()
    {
        IPAddress[] ipv4Addresses = Array.FindAll(
            Dns.GetHostEntry(string.Empty).AddressList,
            a => a.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork);
        return ipv4Addresses.ToString();
    }

Check after keeping Breakpoint, and use as per your requirement. Its working fine for me.

How can I get the clients IP address from HTTP headers?

7 Answers7

Linked