This topic describes how to obtain client IP addresses when Layer 7 listeners of Server Load Balancer (SLB) are used.

Background information

When Layer 7 listeners (HTTP and HTTPS listeners) are used, you must configure the corresponding application servers to obtain client IP addresses carried in the X-Forwarded-For header. Client IP addresses carried in the X-Forwarded-For HTTP header use the following format:
X-Forwarded-For: Client IP address, Proxy Server 1 IP address, Proxy Server 2 IP address,...

Therefore, the first IP address carried in the X-Forwarded-For header is the client IP address that you want to obtain.

Note HTTPS listeners offload the work of encryption and decryption from backend application servers to SLB instances. The application servers still use the HTTP protocol. Therefore, application servers cannot tell the differences between HTTP and HTTPS listeners.

Configure an IIS7 or IIS8 server

  1. Download and decompress the F5XForwardedFor file.
  2. Copy the F5XFFHttpModule.dll and F5XFFHttpModule.ini files from the x86\ or x64\ directory on your server to another directory, such as C:\F5XForwardedFor\. The directory in which the files are located varies based on the operating system version. Make sure that the IIS process has read permissions on the directory.
  3. Open Internet Information Services (IIS) Manager and double-click Modules.
  4. Click Configure Native Modules, and then click Register in the dialog box that appears.
  5. Add the downloaded .dll file.
  6. Add the ISAPI and CGI restrictions for the added files and set the restrictions to Allowed.
    Note Make sure that the ISAPI and CGI applications are installed.
  7. Restart the IIS server and wait until the configurations take effect.

Configure an Apache server

In this example, the configuration files are stored in alidata/. You can change the directory path based on the actual value in the following commands.

  1. Run the following command to install the mod_rpaf module:
     wget https://github.com/gnif/mod_rpaf/archive/v0.6.0.tar.gz
     tar zxvf v0.6.0.tar.gz
     sudo apt-get install apache2-dev
     whereis apxs2
     cd mod_rpaf-0.6.0/alidata/server/httpd/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
  2. Append the following content to the end of the Apache configuration file /alidata/server/httpd/conf/httpd.conf:
     LoadModule rpaf_module modules/mod_rpaf-2.0.so
     RPAFenable On
     RPAFsethostname On
     RPAFproxy_ips  <IP_address>
     RPAFheader X-Forwarded-For
    Note To obtain the proxy server IP address, add the CIDR block of the proxy server to RPAFproxy_ips <IP_address>, such as 100.64.0.0/10 (100.64.0.0/10 is reserved by Alibaba Cloud. It is not used by any user and therefore causes no security risks) of SLB and the CIDR blocks of Anti-DDoS. Separate multiple CIDR blocks with commas (,).
  3. Restart Apache.
    /alidata/server/httpd/bin/apachectl restart

Configure a NGINX server

In this example, the configuration files are stored in alidata/. You can change the directory path based on the actual value in the following commands.

  1. Run the following command to install http_realip_module:
     wget http://nginx.org/download/nginx-1.0.12.tar.gz
     tar zxvf nginx-1.0.12.tar.gz
     cd nginx-1.0.12
     ./configure --user=www --group=www --prefix=/alidata/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module
     make
     make install
     kill -USR2 `cat /alidata/server/nginx/logs/nginx.pid`
     kill -QUIT `cat /alidata/server/nginx/logs/ nginx.pid.oldbin`
  2. Run the following command to open the nginx.conf file:
    vi /alidata/server/nginx/conf/nginx.conf
  3. Append new fields to the end of the following content:
     fastcgi connect_timeout 300;
     fastcgi send_timeout 300;
     fastcgi read_timeout 300;
     fastcgi buffer_size 64k;
     fastcgi buffers 4 64k;
     fastcgi busy_buffers_size 128k;
     fastcgi temp_file_write_size 128k;

    The fields that need to be appended:

     set_real_ip_from IP_address;
     real_ip_header X-Forwarded-For;
    Note To obtain the proxy server IP address, add the CIDR block of the proxy server to set_real_ip_from <IP_address>, such as 100.64.0.0/10 (100.64.0.0/10 is reserved by Alibaba Cloud. It is not used by any user and therefore causes no security risks) of SLB and the CIDR blocks of Anti-DDoS. Separate multiple CIDR blocks with commas (,).
  4. Run the following command to restart NGINX:
    /alidata/server/nginx/sbin/nginx -s reload