Server Load Balancer (SLB) supports obtaining real client IP addresses.

Overview

Support for obtaining real IP addresses in SLB is enabled by default.

  • For layer-4 SLB service (TCP protocol), listeners distribute client requests to backend ECS servers without modifying the request headers. Therefore, you can obtain real client IP addresses directly.
  • For layer-7 SLB service (HTTP and HTTPS protocols), you need to configure application servers, and then use the X-Forwarded-For header to obtain real IP addresses of clients.
    Real client IP addresses are put in the X-Forwarded-For fields of HTTP headers in the following format: 
    X-Forwarded-For: the real IP address of the user, the proxy server 1-IP, the proxy server 2-IP, ...

    When you use the X-Forwarded-For header to obtain the real IP address of a client, the first IP address obtained is the real IP address.

    Note For the HTTPS SLB service, SSL certificates are configured in frontend listeners, and the backend still uses the HTTP protocol. Therefore, the configurations on application servers for obtaining real client IP addresses are the same for HTTP and HTTPS protocols.

Configure IIS7/IIS8

  1. Download and extract F5XForwardedFor.
  2. Copy the F5XFFHttpModule.dll and F5XFFHttpModule.ini files from the x86\Release or x64\Release directory (depending on the operating system version) of your server to a directory, such as C:\F5XForwardedFor\. Make sure that the IIS process has write access to this directory.
  3. Open IIS Manager and double-click the Modules function.
  4. Click Configure Native Modules, and then click Register in the displayed dialog box.
  5. Add the downloaded .dll file.
  6. Add the ISAPI and CGI restrictions for the added files and set the restrictions to Allowed.
    Note Make sure that you have installed the ISAPI and CGI applications.
  7. Restart IIS Manager.

Configure Apache

  1. Run the following command to install the mod_rpaf module: 
     wget https://github.com/gnif/mod_rpaf/archive/v0.6.0.tar.gz
 tar zxvf mod_rpaf-0.6.tar.gz
 cd mod_rpaf-0.6
 /alidata/server/httpd/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
  2. Open the /alidata/server/httpd/conf/httpd.conf file and add the following information at the end of the content: 
     LoadModule rpaf_module modules/mod_rpaf-2.0.so
 RPAFenable On
 RPAFsethostname On
 RPAFproxy_ips  <IP_address>
 RPAFheader X-Forwarded-For
    Note To obtain the IP address of the proxy server, add the CIDR block of the proxy server to RPAFproxy_ips <IP_address>, such as the IP address range of SLB 100.64.0.0/10 (100.64.0.0/10 is reserved by Alibaba Cloud. No other users can use the IP addresses in this CIDR block and therefore no security risks exist.) and the address range of Anti-DDoS Pro. Separate multiple CIDR blocks by using commas (,).
  3. Restart Apache. 
    /alidata/server/httpd/bin/apachectl restart

Configure Nginx

  1. Run the following command to install http_realip_module. 
     wget http://nginx.org/download/nginx-1.0.12.tar.gz
 tar zxvf nginx-1.0.12.tar.gz
 cd nginx-1.0.12
 ./configure --user=www --group=www --prefix=/alidata/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module
 make
 make install
 kill -USR2 `cat /alidata/server/nginx/logs/nginx.pid`
 kill -QUIT `cat /alidata/server/nginx/logs/ nginx.pid.oldbin`
  2. Open the nginx.conf file. 
    vi /alidata/server/nginx/conf/nginx.conf
  3. Add new configuration fields and information at the end of the following configuration information: 
     fastcgi connect_timeout 300;
 fastcgi send_timeout 300;
 fastcgi read_timeout 300;
 fastcgi buffer_size 64k;
 fastcgi buffers 4 64k;
 fastcgi busy_buffers_size 128k;
 fastcgi temp_file_write_size 128k;

    The configuration fields and information that need to be added are:

     set_real_ip_from IP_address
 real_ip_header X-Forwarded-For;
    Note To obtain the IP address of the proxy server, add the CIDR block of the proxy server to set_real_ip_from <IP_address>, such as the IP address range of SLB 100.64.0.0/10 (100.64.0.0/10 is reserved by Alibaba Cloud. No other users can use the IP addresses in this CIDR block and therefore no security risks exist.) and the address arrange of Anti-DDos Pro. Separate multiple CIDR blocks by using commas (,).
  4. Restart Nginx. 
    /alidata/server/nginx/sbin/nginx -s reload