This topic describes how to obtain real IP addresses of clients by using Layer 7 listeners of the Server Load Balancer (SLB) service.
X-Forwarded-Forheader. Real client IP addresses are in the X-Forwarded-For fields of HTTP header in the following format:
X-Forwarded-For: IP address of the client, IP address of Proxy Server 1, IP address of Proxy Server 2,...
When you obtain the real IP address of a client from the X-Forwarded-For header, the first IP address that you obtain is the real IP address.
Configure IIS7 or IIS8 servers
- Download and decompress the F5XForwardedFor file.
- Copy the F5XFFHttpModule.dll and F5XFFHttpModule.ini files from the x86\Release or x64\Release directory (basing on the operating system version) of your server to another directory, such as C:\F5XForwardedFor\. Make sure that the IIS process has read permissions on the directory.
- Open Internet Information Services (IIS) Manager and double-click Modules.
- Click Configure Native Modules, and click Register in the dialog box that appears.
- Add the downloaded .dll files.
- Add the ISAPI and CGI restrictions for the added files and set the restrictions to
Allowed. Note Make sure that you have installed the ISAPI and CGI applications.
- Restart the IIS server and wait for the configurations to take effect.
- Run the following command to install the mod_rpaf module:
wget https://github.com/gnif/mod_rpaf/archive/v0.6.0.tar.gz tar zxvf mod_rpaf-0.6.tar.gz cd mod_rpaf-0.6 /alidata/server/httpd/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
- Modify the Apache configuration file /alidata/server/httpd/conf/httpd.conf and append the following content to the end of the file:
LoadModule rpaf_module modules/mod_rpaf-2.0.so RPAFenable On RPAFsethostname On RPAFproxy_ips <IP_address> RPAFheader X-Forwarded-ForNote To obtain the IP address of the proxy server, add the CIDR block of the proxy server to
RPAFproxy_ips <IP_address>, such as 100.64.0.0/10 (100.64.0.0/10 is reserved by Alibaba Cloud. It is not used by any user and therefore causes no security risks) of SLB and the CIDR blocks of Anti-DDoS. Separate multiple IP addresses with commas (,).
- Restart Apache.
- Run the following command to install http_realip_module:
wget http://nginx.org/download/nginx-1.0.12.tar.gz tar zxvf nginx-1.0.12.tar.gz cd nginx-1.0.12 ./configure --user=www --group=www --prefix=/alidata/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module make make install kill -USR2 `cat /alidata/server/nginx/logs/nginx.pid` kill -QUIT `cat /alidata/server/nginx/logs/ nginx.pid.oldbin`
- Run the following command to open the nginx.conf file:
- Append new configuration fields and information to the end of the following information:
fastcgi connect_timeout 300; fastcgi send_timeout 300; fastcgi read_timeout 300; fastcgi buffer_size 64k; fastcgi buffers 4 64k; fastcgi busy_buffers_size 128k; fastcgi temp_file_write_size 128k;
Add the following fields and information:
set_real_ip_from IP_address; real_ip_header X-Forwarded-For;Note To obtain the IP address of the proxy server, add the CIDR block of the proxy server to
set_real_ip_from <IP_address>, such as 100.64.0.0/10 (100.64.0.0/10 is reserved by Alibaba Cloud. It is not used by any user and therefore causes no security risks) of SLB and the CIDR blocks of Anti-DDoS. Separate multiple IP addresses with commas (,).
- Run the following command to restart NGINX.
/alidata/server/nginx/sbin/nginx -s reload