伪造Http请求IP地址
Posted qi2332356
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了伪造Http请求IP地址相关的知识,希望对你有一定的参考价值。
在项目开发中(web项目),我负责的系统(简称PC),需要调其它系统接口,并且该系统需要获取客户端(浏览器访问端)的IP地址,给我愁死了,
正常流程:浏览器---访问PC系统----PC系统需要调第三方系统,此时默认情况下,PC发起的request请求IP地址是PC所在服务器的IP地址,而不是请求浏览器端的IP地址
所以,就想着是否能把request里的IP地址给修改了,因为在PC系统里是能获取到请求IP地址的,结果是修改不了
最后了解到:可以在http请求头里,追加一个头信息(名称:x-forwarded-for),它会位于原始IP地址之前,所以当第三方系统获取地址时,就获取到了真实的浏览器访问地址IP了
代码如下:
package com.sh.portal.framework.client.http; import java.io.IOException; import org.apache.commons.lang.StringUtils; import org.apache.http.HttpEntity; import org.apache.http.HttpResponse; import org.apache.http.client.config.RequestConfig; import org.apache.http.client.methods.HttpPost; import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.message.BasicHeader; import org.apache.http.protocol.HTTP; import org.apache.http.util.EntityUtils; import org.springframework.stereotype.Component; import com.sh.portal.framework.client.RemoteServerArgs; import com.sh.portal.framework.client.RemoteServerClient; import com.sh.portal.framework.client.RemoteServerResponse; import com.sh.portal.util.CommonUtils; @Component public class RemoteServerClientImpl implements RemoteServerClient private static final String DEFAULT_ENCODE = "UTF-8"; private static final String APPLICATION_JSON = "application/json"; @Override public RemoteServerResponse post(RemoteServerArgs args) throws IOException String ip = CommonUtils.getRequestIpAddress(); // 创建HttpClientBuilder HttpClientBuilder httpClientBuilder = HttpClientBuilder.create(); // HttpClient CloseableHttpClient closeableHttpClient = httpClientBuilder.build(); // 请求参数 StringEntity entity = new StringEntity(args.getRequestJson(), DEFAULT_ENCODE); entity.setContentEncoding(new BasicHeader(HTTP.CONTENT_TYPE, APPLICATION_JSON)); HttpPost httpPost = new HttpPost(args.getUrl()); httpPost.addHeader(HTTP.CONTENT_TYPE, APPLICATION_JSON); //此处区别PC终端类型 httpPost.addHeader("typeFlg", "9"); //此处增加浏览器端访问IP if(!ip.equals("")) httpPost.addHeader("x-forwarded-for",ip); httpPost.setEntity(entity); httpPost.setConfig(RequestConfig.DEFAULT); HttpResponse httpResponse; // post请求 httpResponse = closeableHttpClient.execute(httpPost); HttpEntity httpEntity = httpResponse.getEntity(); RemoteServerResponse response; if (httpEntity != null) response = new RemoteServerResponse(httpResponse.getStatusLine().getStatusCode(), EntityUtils.toString(httpEntity, DEFAULT_ENCODE)); else response = new RemoteServerResponse(httpResponse.getStatusLine().getStatusCode(), StringUtils.EMPTY); //释放资源 closeableHttpClient.close(); return response;
原作者:https://www.cnblogs.com/holdon521/p/4686849.html
以上是关于伪造Http请求IP地址的主要内容,如果未能解决你的问题,请参考以下文章
DNS反射放大攻击分析——DNS反射放大攻击主要是利用DNS回复包比请求包大的特点,放大流量,伪造请求包的源IP地址为受害者IP,将应答包的流量引入受害的服务器