IP Ban in PHP isnt working

Yes. @RiversideRocks and @charliea21 reply is correct.
I use PHP a lot on Glitch. I can explain this in detail.

To make PHP work with Glitch, just include it in glitch.json.(I made it simpler):

  "start": "php -S"

$_SERVER['REMOTE_ADDR'] does not get the expected value.
Instead you need to get it from $_SERVER['HTTP_X_FORWARDED_FOR']
This can be checked with phpinfo(). Please confirm your global IP address in advance.
I publish a minimal PHP project. The index.php is phpinfo():

when you look at $_SERVER['HTTP_X_FORWARDED_FOR'], you get the following value:,::ffff:,::ffff:

So you need to split it with , to get

  $ip = explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']);
  echo "{$ip[0]}\n";

This will output the IP address. You may know such a service. I also publish this project.

So the source of @m4sugar is

$ip = explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']);
$deny = array("111.111.111", "222.222.222", "333.333.333");
  header("location: http://www.google.com/");

You can do what you expect. Try it!

1 Like

Thank you so much! That worked!

But what about if they’re ok to visit the site? What do I add?

What do you mean?

I think Glitch should implement an IP ban feature, because even if your project bans certain IPs, it still gets through the Glitch reverse-proxy and counts towards your request quota. :confused:


Maybe you should make a post on #feature-ideas?


Using Cloudflare makes it really tricky to do IP bans. I would love if Glitch had a built in service for this.

That would be a neat idea, along with project comments which I have seen mentioned around the forum.

1 Like

Maybe I should implement IP bans on Glix?


yep, just add stuff that glitch wont/dont have time to add, lol


How do you plan on getting around cloudflare? There is a way in PHP but I have no idea in Express or any other languages.

There are drivers, pretty sure you need Apache for them to work.

@m4sugar There’s a Node.js package aswell

1 Like

Can you explain the concept or method how it is done using PHP? Might be able to figure out a way for Express…

1 Like

This is what I do on my website:



Can you explain what that piece of code does? :sweat_smile:

It checks is the server variable $_SERVER['HTTP_CF_CONNECTING_IP'] is set, if it is, it sets the $_SERVER['REMOTE_ADDR'] variable to $_SERVER['HTTP_CF_CONNECTING_IP'].

Thats what it looks like to me, correct me if I’m wrong.

1 Like

I’ll most likely use something called iptables to block out specific IPs from my VPS, however that would be strictly prohibited to only run on port 80 and 443, and only deny access when the IP is banned on a specific pointer.

You can pretty much write it yourself. Apache or NGINX has the tools needed to implement IP bans, however, I doubt they can deny access on specific hosts, I don’t know.

If I’m going to implement this for Glix I’ll have to write a caddy plugin in Go :stuck_out_tongue:

This would be a rather deprecated choice. The connecting remote might be a reverse-proxy, which therefore will ban the proxy instead of the user. You should look out for trusted proxies and make sure to use the X-Forwarded-For header as the IP. However don’t trust the header until you’ve validated that the remote is trusted!

1 Like

why not ip bans on the reverse proxy? Also this as a feature for glix would be nice

The reason I use this is because this is the method that Cloudflare says to do.