This topic describes how to retrieve the real IP address of a client from the origin server.

Retrieval methods

If IP Application Accelerator (IPA) is used, the request from a client is forwarded to the origin server by an acceleration node. Therefore, the source IP address obtained by the origin server is the IP address of the acceleration node. To retrieve the real IP address of the client from the origin server, use one of the following methods:

  • Install the TOA kernel module on the Linux system. This method is easy to use and completely transparent to applications. You can retrieve real client IP addresses without modifying the application on the Linux server of the origin site.
  • Use the Proxy protocol. This method has no requirements on the system kernel. However, you need to modify the application as needed to retrieve the real IP address of the client by parsing text strings. NGINX and HAProxy are supported.

Install the TOA kernel module

If the origin server uses one of the following supported Linux systems, you can retrieve the real client IP address by installing the RPM package of the TOA kernel module.

Supported Linux version RPM package
CentOS 6.5 CentOS 6.5 RPM
CentOS 6.9 CentOS 6.9 RPM
CentOS 7.0 CentOS 7.0 RPM
CentOS 7.1 CentOS 7.1 RPM
CentOS 7.2 CentOS 7.2 RPM
CentOS 7.3 CentOS 7.3 RPM
CentOS 7.4 CentOS 7.4 RPM
CentOS 7.5 CentOS 7.5 RPM
alicdn.alios7 alicdn.alios7 RPM
  1. Run the rpm command to install the package of the corresponding version.

    # rpm -ivh tcp-toa-1.2.7-alicdn.alios7.x86_64.rpm
    Preparing...                          ################################# [100%]
    Updating / installing...
       1:tcp-toa-1.2.7-alicdn.alios7      ################################# [100%]
  2. Run the TOA kernel module.
    # service tcp_toa start
    [Starting tcp_toa]:
    Checking installed modules...
            tcp_toa not installed.
    Checking module files...                [OK]
    Installing tcp_toa...                   [OK]
  3. Check the running status of the TOA kernel module.
    # lsmod | grep toa
    tcp_toa                12916  0
  4. Stop the TOA kernel module.
    # service tcp_toa stop
    [StoPPing tcp_toa]:
    Checking installed modules...
            tcp_toa installed.
    Checking installed tcp_toa...           [OK]
    Uninstalling tcp_toa...                 [OK]
  5. Run the rpm -e tcp-toa command to remove the TOA kernel module.
    # rpm -e tcp-toa
    [StoPPing tcp_toa]:
    Checking installed modules...
            tcp_toa installed.
    Checking installed tcp_toa...           [OK]
    Uninstalling tcp_toa...                 [OK]

Proxy Protcol

To retrieve the IP address of a client by using the proxy protocol, you must configure the proxy protocol in the console. After the proxy protocol is enabled, the acceleration server establishes a TCP connection to the origin server. The proxy protocol text is transmitted before the first user payload is transmitted.

To configure NGINX to accept PROXY protocol headers, add the proxy_protocol parameter to the listen directive in the server block. For more information, see Accepting the PROXY Protocol.

http {
    #...
    server {
        listen 80   proxy_protocol;
        listen 443  ssl proxy_protocol;
        #...
    }
}
Note For more information about other proxy protocol-ready applications, see Proxy Protocol.

If your application does not support the proxy protocol, you can extract the text lines of the Proxy protocol and parse the character string. This way, you can retrieve the source IP address of the client after the TCP connection is established. A sample string is as follows:

PROXY TCP4 1.1.1.2 2.2.2.2 12345 80\r\n

Extract the line before the line break (\n) and parse the line based on the protocol. The fields are defined as follows:

PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + "\r\n"

The actual output of a proxy protocol text line may also contain a globally unique ID before \r\n. The unique ID is used for end-to-end monitoring. Ignore it if you do not need it.

"id"="xxxx"