This topic describes how to retrieve the actual IP address of a client after your website is protected by Web Application Firewall (WAF).

In most scenarios, access requests initiated from the browser of a visitor are not directly sent to the origin server of the website. Instead, the access requests may pass through intermediate proxy servers, such as CDN, Anti-DDoS Pro, and WAF. For example, a website may be deployed in this schema: visitor > CDN, Anti-DDoS Pro, or WAF > origin server. After an access request is forwarded through multiple layers of acceleration or proxies, how does the origin server retrieve the actual client IP address that initiates the request?

In normal cases, before the transparent proxy forwards an access request to the next-hop server, the transparent proxy server adds an X-Forwarded-For record to the HTTP request header to record the actual IP address of the client. The record is in this format: X-Forwarded-For: client IP address. If the access request passes through multiple intermediate proxy servers, X-Forwarded-For records the actual client IP address and the IP addresses of intermediate proxy servers in the following format: X-Forwarded-For: client IP address, proxy server 1-IP address, proxy server 2-IP address, proxy server 3-IP address, ….

Therefore, common application servers can use X-Forwarded-For to retrieve the actual IP address of a client. The following examples use NGINX, IIS 6, IIS 7, Apache, and Tomcat to demonstrate how to configure X-Forwarded-For.
Notice Before you start, make sure that you have backed up the existing environment, including the ECS instance snapshot and the configuration file of the web application server.

NGINX configuration scheme

  1. Make sure that the http_realip_module module has been installed.

    To implement load balancing, NGINX uses http_realip_module to retrieve actual client IP addresses.

    You can run the # nginx -V | grep http_realip_module command to check whether the module is installed. If the module is not installed, recompile NGINX and load the module.

    Note In normal cases, the module is not installed by default if NGINX was installed by using a quick installation package.
    Install http_realip_module through the following method:
    wget http://nginx.org/download/nginx-1.12.2.tar.gz
    tar zxvf nginx-1.12.2.tar.gz
    cd nginx-1.12.2
    ./configure --user=www --group=www --prefix=/alidata/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module
    make
    make install
    kill -USR2 `cat /alidata/server/nginx/logs/nginx.pid`
    kill -QUIT `cat /alidata/server/nginx/logs/ nginx.pid.oldbin`
  2. Modify the configuration file of NGINX.

    Open the default.conf configuration file and add the following content to location / {}:

    Note

    ip_range1, 2, ..., x represents the WAF back-to-origin IP addresses. You need to add one IP address at a time.

    set_real_ip_from ip_range1;
    set_real_ip_from ip_range2;
    ...
    set_real_ip_from ip_rangex;
    real_ip_header    X-Forwarded-For;
  3. Modify the log format (log_format).

    log_format is typically located in the HTTP configurations in the nginx.conf configuration file. In log_format, replace the remote-address field with the x-forwarded-for field. That is, modify log_format as follows:

    log_format  main  '$http_x_forwarded_for - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" ';
  4. Restart NGINX to apply the settings.

    After the preceding operations, run the nginx -s reload command to restart NGINX. After the configurations take effect, the NGINX server can record the actual client IP addresses by using X-Forwarded-For.

IIS 6 configuration scheme

You can install the F5XForwardedFor.dll plug-in to retrieve the actual client IP addresses from the access log recorded by the IIS 6 server.

  1. Based on the version of the operating system run by your server, copy the F5XForwardedFor.dll file from the x86\Release or x64\Release directory to the specified directory, such as C:\ISAPIFilters. Make sure that the IIS process has read and write permissions on the directory.
  2. Open IIS Manager, locate the currently activated website, right-click it, and select Attributes.
  3. On the Attributes page, switch to ISAPI Filters and click Add.
  4. In the Add window, set the following parameters and click Add.
    • Filter Name: F5XForwardedFor
    • Executable: The complete path of F5XForwardedFor.dll, for example, C:\ISAPIFilters\F5XForwardedFor.dll
  5. Restart the IIS server and wait for the configurations to take effect.

IIS 7 configuration scheme

You can install the F5XForwardedFor module to retrieve the actual client IP addresses.

  1. Based on the version of the operating system run by the server, copy the F5XFFHttpModule.dll and F5XFFHttpModule.ini files from the x86\Release or x64\Release directory to the specified directory, such as C:\x_forwarded_for\x86 or C:\x_forwarded_for\x64. Make sure that the IIS process has read and write permissions on the directory.
  2. In the IIS Server section, double-click Module.Open module configurations
  3. Click Configure Local Module.Configure the local module
  4. In the Configure Local Module dialog box, click Register to register the downloaded DLL file. Register the module
    • Register the x_forwarded_for_x86 module
      • Name: x_forwarded_for_x86
      • Path: C:\x_forwarded_for\x86\F5XFFHttpModule.dll
    • Register the x_forwarded_for_x64 module
      • Name: x_forwarded_for_x64
      • Path: C:\x_forwarded_for\x64\F5XFFHttpModule.dll
  5. After registration, select the newly registered modules x_forwarded_for_x86 and x_forwarded_for_x64, and click OK.Start the module
  6. In API and CGI Restrictions, add the registered DLL file, and set Restriction to Allow.Enable API and CGI restrictions
  7. Restart the IIS server and wait for the configurations to take effect.

Apache configuration scheme

For Windows operating systems

The installation packages of Apache 2.4 and later provide the remoteip_module module file (mod_remoteip.so). You can retrieve the actual client IP addresses by using this module.
  1. Create a configuration file named httpd-remoteip.conf in the extra configuration folder (conf/extra/) of Apache.
    Note Load the related configurations by introducing the remoteip.conf configuration file. This reduces the number of times a direct modification of the httpd.conf file occurs, and avoids service exceptions due to unexpected operations.
  2. In the httpd-remoteip.conf configuration file, add the following rule for retrieving the actual client IP addresses.
    # Load the mod_remoteip.so module
    LoadModule remoteip_module modules/mod_remoteip.so
    # Set the RemoteIPHeader header
    RemoteIPHeader X-Forwarded-For
    # Set the back-to-origin CIDR block
    RemoteIPInternalProxy 112.124.159.0/24 118.178.15.0/24 120.27.173.0/24 203.107.20.0/24 203.107.21.0/24 203.107.22.0/24 203.107.23.0/24 47.97.128.0/24 47.97.129.0/24 47.97.130.0/24 47.97.131.0/24
  3. Modify the conf/httpd.conf configuration file and include the httpd-remoteip.conf configuration file.
    Include conf/extra/httpd-remoteip.conf
  4. Modify the log format in the httpd.conf configuration file.
    LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%a %l %u %t \"%r\" %>s %b" common
  5. Restart Apache to apply the settings.

For Linux operating systems

Take the preceding steps to add the remoteip_module module (mod_remoteip.so) and configure the log format in a Linux operating system. The installation packages of Apache 2.4 and later provide the remoteip_module module file (mod_remoteip.so).

If the version of Apache is earlier than 2.4, take the following steps to use a third-party module named mod_rpaf to retrieve the actual client IP addresses.

  1. Run the following commands to install the mod_rpaf module:
    wget https://github.com/gnif/mod_rpaf/archive/v0.6.0.tar.gz
    tar zxvf mod_rpaf-0.6.tar.gz
    cd mod_rpaf-0.6
    /alidata/server/httpd/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
  2. Modify the Apache configuration file /alidata/server/httpd/conf/httpd.conf and append the following content to the end of the file:
    Note RPAFproxy_ips IP address is not the public IP address of the proxy server. For the specific IP addresses, see the Apache log. Typically, you can find two IP addresses.
    LoadModule rpaf_module modules/mod_rpaf-2.0.so
    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips IP address
    RPAFheader X-Forwarded-For
  3. After you append the preceding content, run the following command to restart Apache to apply the settings:
    /alidata/server/httpd/bin/apachectl restart

mod_rpaf module configuration example



LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 10.242.230.65 10.242.230.131
RPAFheader X-Forwarded-For

Tomcat configuration scheme

You can use X-Forwarded-For provided by Tomcat to retrieve the actual client IP addresses.

Open the tomcat/conf/server.xml configuration file and modify the AccessLogValve log recording function as follows:
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%{X-FORWARDED-FOR}i %l %u %t %r %s %b %D %q %{User-Agent}i %T" resolveHosts="false"/>