This topic describes how to obtain real IP addresses of clients by using Layer 7 listeners of the Server Load Balancer (SLB) service.

Background information

For Layer 7 listeners (HTTP or HTTPS listeners), you must first configure application servers. Then, you can obtain real IP addresses of clients from the X-Forwarded-For header. Real client IP addresses are in the X-Forwarded-For fields of HTTP header in the following format:
X-Forwarded-For: IP address of the client, IP address of Proxy Server 1, IP address of Proxy Server 2,...

When you obtain the real IP address of a client from the X-Forwarded-For header, the first IP address that you obtain is the real IP address.

Note For the HTTPS listener, SSL certificates are configured in the frontend, and the backend still uses the HTTP protocol. Therefore, the configurations on application servers for HTTPS listeners are the same as HTTP listeners.

Configure IIS7 or IIS8 servers

  1. Download and decompress the F5XForwardedFor file.
  2. Copy the F5XFFHttpModule.dll and F5XFFHttpModule.ini files from the x86\Release or x64\Release directory (basing on the operating system version) of your server to another directory, such as C:\F5XForwardedFor\. Make sure that the IIS process has read permissions on the directory.
  3. Open Internet Information Services (IIS) Manager and double-click Modules.
  4. Click Configure Native Modules, and click Register in the dialog box that appears.
  5. Add the downloaded .dll files.
  6. Add the ISAPI and CGI restrictions for the added files and set the restrictions to Allowed.
    Note Make sure that you have installed the ISAPI and CGI applications.
  7. Restart the IIS server and wait for the configurations to take effect.

Configure Apache

  1. Run the following command to install the mod_rpaf module:
     wget https://github.com/gnif/mod_rpaf/archive/v0.6.0.tar.gz
     tar zxvf mod_rpaf-0.6.tar.gz
     cd mod_rpaf-0.6
     /alidata/server/httpd/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
  2. Modify the Apache configuration file /alidata/server/httpd/conf/httpd.conf and append the following content to the end of the file:
     LoadModule rpaf_module modules/mod_rpaf-2.0.so
     RPAFenable On
     RPAFsethostname On
     RPAFproxy_ips  <IP_address>
     RPAFheader X-Forwarded-For
    Note To obtain the IP address of the proxy server, add the CIDR block of the proxy server to RPAFproxy_ips <IP_address>, such as 100.64.0.0/10 (100.64.0.0/10 is reserved by Alibaba Cloud. It is not used by any user and therefore causes no security risks) of SLB and the CIDR blocks of Anti-DDoS. Separate multiple IP addresses with commas (,).
  3. Restart Apache.
    /alidata/server/httpd/bin/apachectl restart

Configure NGINX

  1. Run the following command to install http_realip_module:
     wget http://nginx.org/download/nginx-1.0.12.tar.gz
     tar zxvf nginx-1.0.12.tar.gz
     cd nginx-1.0.12
     ./configure --user=www --group=www --prefix=/alidata/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module
     make
     make install
     kill -USR2 `cat /alidata/server/nginx/logs/nginx.pid`
     kill -QUIT `cat /alidata/server/nginx/logs/ nginx.pid.oldbin`
  2. Run the following command to open the nginx.conf file:
    vi /alidata/server/nginx/conf/nginx.conf
  3. Append new configuration fields and information to the end of the following information:
     fastcgi connect_timeout 300;
     fastcgi send_timeout 300;
     fastcgi read_timeout 300;
     fastcgi buffer_size 64k;
     fastcgi buffers 4 64k;
     fastcgi busy_buffers_size 128k;
     fastcgi temp_file_write_size 128k;

    Add the following fields and information:

     set_real_ip_from IP_address;
     real_ip_header X-Forwarded-For;
    Note To obtain the IP address of the proxy server, add the CIDR block of the proxy server to set_real_ip_from <IP_address>, such as 100.64.0.0/10 (100.64.0.0/10 is reserved by Alibaba Cloud. It is not used by any user and therefore causes no security risks) of SLB and the CIDR blocks of Anti-DDoS. Separate multiple IP addresses with commas (,).
  4. Run the following command to restart NGINX.
    /alidata/server/nginx/sbin/nginx -s reload