This topic describes how to obtain the real IP addresses of clients that attempt to access an application after it is integrated into GameShield.

Background information

GameShield adopts the FullNat proxy mode. After receiving a request from a client, GameShield replaces the IP address of the client with the IP address of GameShield. This topic provides a solution for obtaining the real IP address of a client.

Implementation

GameShield uses the options field of a TCP packet to store and transfer the IP address of a client. In most cases, this method is called TCP Options as Address (TOA). The TOA method is provided by GameShield. You can only obtain the IP address of a client after integrating a TOA module to an origin server. You can integrate a TOA module by using application hooks.
  • Linux

    For Linux systems, we recommend that you first use application hooks to integrate a TOA module without updating configuration files.

    If you cannot integrate a TOA module by using application hooks, you can integrate the TOA module by modifying the application code.

    For more information, see Linux.

  • Windows

    Windows provides application hooks for some applications. We recommend that you first integrate a TOA module by using application hooks.

    If you cannot integrate a TOA module by using application hooks, you can modify the application code on the origin server to integrate the TOA module.

    For more information, see Windows.

Integration methods

Table 1. Deployment of origin servers
Scenario Supported architecture Unsupported architecture
Obtain the real IP address of a client when the client transfers data over TCP
  • Data flows from GameShield to Alibaba Cloud Elastic Compute Service (ECS) instances that host origin servers or third-party origin servers.
  • Data flows from GameShield and distributed at Layer-4 by using Alibaba Cloud Server Load Balancer (SLB). Data is then forwarded to Alibaba Cloud ECS instances that host origin servers.
Data flows from GameShield and distributed at Layer-4 by using third-party SLB. Data is then forwarded to third-party origin servers.
Obtain the real IP address of a client when the client transfers data over HTTP or HTTPs
  • Data flows from GameShield to Alibaba Cloud ECS instances that host origin servers or third-party origin servers.
  • Data flows from GameShield and distributed at Layer-4 by using Alibaba Cloud SLB to Alibaba Cloud ECS instances that host origin servers.
  • Data flows from GameShield, Web Application Firewall (WAF) or Anti-DDoS Pro and distributed at Layer-7 by using Alibaba Cloud SLB. Data is then forwarded to Alibaba Cloud ECS instances that host origin servers.
  • Data flows from GameShield and distributed at Layer-4 or Layer-7 by using third-party SLB. Data is then forwarded to third-party origin servers.
Note Based on Layer-4 data forwarding, GameShield does not manage HTTPS certificates. GameShield cannot retrieve data details that are contained in a HTTPS data stream. When a client accesses GameShield through HTTP/HTTPS, GameShield retrieves the real IP address of the client by using a TOA module that is installed on an origin server. You cannot obtain the real IP address of a client from the X-Forwarded-For (XFF) header field of an HTTP/HTTPS request.