Need advice about getting IP address behind NAT in PHP

Question

What I'm trying to achieve here is to get local ip address of computer that is connecting to machine with public IP address.

We have server with public IP address (let's say X). Also we have 15 computers in our office with local ip addresses (192.168.20....). I want to know which computer changed something on our system. We are all going out on the internet with public IP Y. As we all know with $_SERVER['REMOTE_ADDR'] I can only get address Y, but can't get local IP address (192.168.20.N).

So I've installed webserver on one of the local machines and then I'm sending ajax (jsonp) request to that local machine, I get local IP address of computer and than send that IP address to public server in every request. everything works fine and I'm getting both local and public IP address. But I wonder if there is any better way of doing this?

here is my test.js script

$(document).ready(function(){
    var _ip = '';
    $.ajax({
        url: 'http://192.168.20.24/getIP.php', //local machine
        dataType: 'jsonp',
        success: function(response){
            _ip = response;
            $.ajax({
                url: 'getIP.php', //public address
                type: 'POST',
                dataType: 'json',
                data: {
                    ip: _ip
                },
                dataType: 'json',
                success: function(response){
                    $('#local').html(response.local);
                    $('#public').html(response.public);
                }
            })
        }
    });

});

local getIP.php

header('content-type: application/json; charset=utf-8');
echo $_GET['callback'] . '('.json_encode($_SERVER['REMOTE_ADDR']).')';

and public getIP.php

echo json_encode(array('local' => $_POST['ip'], 'public' => $_SERVER['REMOTE_ADDR']));

Thanks in advance

Note: code is written for testing purposes only.

Answer 1

Javascript operates at HTTP level, so there is no such thing as an IP address in Javascript world.

The workaround you devised is widely used and it is, I believe, the only way to get the client's private address. As hek2mgl advises, this solution is insecure indeed, although in your case, the concern is less relevant because you seem to have complete control of the clients, the server, and the network in between.

For a really secure solution, use client certificates. I understand you do not really care about the client's IP addresses per se, but only want to use them as a mean of authentication (or was it just identification? :D).

---

Configuration is not trivial but not rocket sience either. Here is a nice tutorial (Apache). It assumes the use of certificates issued by a public certification authority, but you can generate and use your own self-signed certificates (tutorial 1, tutorial 2)

Answer 2

IP address information MUST NOT being used for authentication. This is insecure. Point.

If you want to authenticate persons or even computers, then use an authentication system. username/password based, or public/private key based authentication systems come in mind..