真实IP

# 对应Header中Client-IP
$_SERVER['HTTP_CLIENT_IP']

# 对应Header中X-Forwarded-For
$_SERVER['HTTP_X_FORWARDED_FOR']

/*
 * 如果使用了代理服务器,则REMOTE_ADDR为代理服务器IP 
 * 并且部分代理服务器会将真实IP放在Header中的Client-IP或X-Forwarded-For里
 */
$_SERVER['REMOTE_ADDR']

安全的做法是把所有IP存着

HTTP_CLIENT_IP  
HTTP_X_FORWARDED_FOR  
HTTP_X_FORWARDED  
HTTP_X_CLUSTER_CLIENT_IP  
HTTP_FORWARDED_FOR  
HTTP_FORWARDED  
REMOTE_ADDR (真实IP或Proxy IP)  
HTTP_VIA (经过的Proxy)