edit-icon download-icon

Obtain real IP addresses of visitors

Last Updated: Jan 22, 2018

This document describes how to obtain a visitor’s real IP address after the Web Application Firewall is enabled.

Background

In many cases, a visitor’s browser is not directly connected to the server for website access because CDN, WAF, or Anti-DDoS Pro is deployed in between. For example, the following is a common architecture: Client > CDN/WAF/Anti-DDoS Pro > Origin Server.

Thus, how can a server obtain the real IP address of the client whose initial request passes through a multiple layers of acceleration?

When forwarding a user’s request to the server next in the chain, a proxy server that is open and transparent adds a X-Forwarded-For record to the HTTP header. This record is used to record the user’s real IP address and takes the format of X-Forwarded-For: user IP. If multiple proxy servers are involved in the request process, X-Forwarded-For record displays in the following format: X-Forwarded-For: user's IP address, Proxy 1-IP address, Proxy 2-IP address, Proxy 3-IP address.... Therefore, a common application server can use the X-Forwarded-For record to obtain a visitor’s real IP address.

The following content describes the corresponding X-Forwarded-For configuration methods for the Nginx, IIS 6, IIS 7, Apache, and Tomcat servers.

Nginx

Follow these steps to obtain the visitor’s real IP address in Ngnix.

1. Install “http_realip_module”

As load balancing, Nginx uses “http_realip_module” to obtain the real IP address. Nginx installed by the default procedure does not have this module installed. You can run the # nginx -V | grep http_realip_module command to verify whether or not, this module is installed. If not, recompile Nginx and load this module.

Use the following code to install the “http_realip_module” module.

  1. wget http://nginx.org/download/nginx-1.12.2.tar.gz
  2. tar zxvf nginx-1.12.2.tar.gz
  3. cd nginx-1.12.2
  4. ./configure --user=www --group=www --prefix=/alidata/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module
  5. make
  6. make install
  7. kill -USR2 `cat /alidata/server/nginx/logs/nginx.pid`
  8. kill -QUIT `cat /alidata/server/nginx/logs/ nginx.pid.oldbin`

2. Add WAF IP addresses to Nginx configurations

Open default.conf, and add the following content in location / {}:

  1. set_real_ip_from ip_range1;
  2. set_real_ip_from ip_range2;
  3. ...
  4. set_real_ip_from ip_rangex;
  5. real_ip_header X-Forwarded-For;

Where ip_range1,2,...,x indicates the back-to-source IP addresses of WAF, and multiple entries must be added respectively.

3. Modify the log record format log_format

log_format usually exists under the HTTP configuration in nginx.conf. Add the x-forwarded-for field in log_format to replace the original remote-address. The content after the modification is as follows.

  1. log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" ';

After the preceding operations are completed, use nginx -s reload to restart Nginx and validate the configuration.

IIS 6

You can obtain the visitor’s real IP address from the IIS 6 log, provided that the F5XForwardedFor.dll plug-in is installed.

Procedure

Follow these steps to obtain the visitor’s real IP address in IIS 6.

  1. Copy F5XForwardedFor.dll from the x86\Release or x64\Release directory (according to the OS version of the server) to a specified directory assumed as C:\ISAPIFilters, and meanwhile make sure that the IIS process has the read permission for this directory.

  2. Open IIS manager, find the website currently open, right-click the website and select Property to open the Property page.

  3. Switch to the ISAPI Filter tab page on the Property page and click Add.

  4. Set the following parameters in the Add window, and then click OK.

    • Filter name: F5XForwardedFor
    • Executable file: enter the complete path of F5XForwardedFor.dll. In this example, C:\ISAPIFilters\F5XForwardedFor.dll.
  5. Restart the IIS server and wait for the configuration to come into effect

IIS 7

You can obtain the visitor’s real IP address through the F5XForwardedFor module, provided that the F5XForwardedFor module plug-in is installed.

Procedure

Follow these steps to obtain the visitor’s real IP address in IIS 7.

  1. Copy F5XFFHttpModule.dll and F5XFFHttpModule.ini from the x86\Release or x64\Release directory (according to the OS version of server) to a specified directory assumed as C:\x_forwarded_for\x86 and C:\x_forwarded_for\x64, and meanwhile make sure that the IIS process has the read permission for this directory.

  2. In IIS Manager, double-click to open Module.

  3. Click Configure Local Module.

  4. Click Register in the Configure Local Module dialog box, and register the downloaded DLL file.

    • Register the x_forwarded_for_x86 module

      • Name: x_forwarded_for_x86
      • Path: C:\x_forwarded_for\x86\F5XFFHttpModule.dll
    • Register the x_forwarded_for_x64 module

      • Name: x_forwarded_for_x64
      • Path: C:\x_forwarded_for\x64\F5XFFHttpModule.dll
  5. After registration, select the newly registered modules (x_forwarded_for_x86 and x_forwarded_for_x64), and click OK to enable them.

  6. Add the registered DLL in ISAPI and CGI restrictions respectively, and change the settings from Restricted to Allowed.

  7. Restart the IIS server and wait for the configuration to come into effect.

Apache

Follow these steps to obtain the visitor’s real IP address in Apache.

  1. Run the following code to install the third-party module mod_rpaf for Apache.

    1. wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
    2. tar zxvf mod_rpaf-0.6.tar.gz
    3. cd mod_rpaf-0.6
    4. /alidata/server/httpd/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
  2. Modify the Apache configuration file /alidata/server/httpd/conf/httpd.conf and add the following information at the end.

    1. LoadModule rpaf_module modules/mod_rpaf-2.0.so
    2. RPAFenable On
    3. RPAFsethostname On
    4. RPAFproxy_ips IP address
    5. RPAFheader X-Forwarded-For

    Where RPAFproxy_ips ip address is not the public IP address provided by Server Load Balancer. You can obtain the specific IP address from the Apache log. Usually two IP addresses are included.

  3. Run the following command to restart Apache once you add the IP address.

    1. /alidata/server/httpd/bin/apachectl restart

Example

  1. LoadModule rpaf_module modules/mod_rpaf-2.0.so
  2. RPAFenable On
  3. RPAFsethostname On
  4. RPAFproxy_ips 10.242.230.65 10.242.230.131
  5. RPAFheader X-Forwarded-For

Tomcat

Follow these steps to enable X-Forwarded-For for Tomcat.

  1. Open tomcat/conf/server.xml.

  2. Modify the AccessLogValve log record function to the following content:

    1. <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
    2. prefix="localhost_access_log." suffix=".txt"
    3. pattern="%{X-FORWARDED-FOR}i %l %u %t %r %s %b %D %q %{User-Agent}i %T" resolveHosts="false"/>
Thank you! We've received your feedback.