This topic describes how to obtain the real IP address of a client from the origin server.
Methods to obtain real IP address
If Dynamic Content Delivery Network (DCDN) is activated, requests from clients are forwarded to the origin server by a point of presence (POP). Therefore, the IP address of the client that is obtained by the origin server is the IP address of the POP. However, if you want to obtain the real IP address of the client from the origin server, you can use one of the following methods:
Install the TCP Option Address (TOA) kernel module on a Linux system. This method is easy to use and transparent to applications. You can obtain the real IP addresses of a client without the need to modify the application on the Linux server of the origin server.
Use the proxy protocol. This method has no requirements on the system kernel. However, you must modify the application to obtain the real IP address of a client by parsing character strings. NGINX and HAProxy are supported.
Install the TOA kernel module
If the origin server uses one of the following supported Linux systems, you can install the Red-Hat Package Manager (RPM) package of the TOA kernel module to obtain the real IP address of a client.
Supported Linux distribution | RPM package |
CentOS 6.5 | |
CentOS 6.9 | |
CentOS 7.0 | |
CentOS 7.2 | |
CentOS 7.3 | |
CentOS 7.4 | |
CentOS 7.5 | |
alicdn.alios7 |
Run the
rpmcommand to install the package of the distribution.rpm -ivh tcp-toa-1.2.7-alicdn.alios7.x86_64.rpmPreparing... ################################# [100%] Updating / installing... 1:tcp-toa-1.2.7-alicdn.alios7 ################################# [100%]Run the TOA kernel module.
service tcp_toa start[Starting tcp_toa]: Checking installed modules... tcp_toa not installed. Checking module files... [OK] Installing tcp_toa... [OK]Query the status of the TOA kernel module.
lsmod | grep toatcp_toa 12916 0Stop the TOA kernel module.
service tcp_toa stop[StoPPing tcp_toa]: Checking installed modules... tcp_toa installed. Checking installed tcp_toa... [OK] Uninstalling tcp_toa... [OK]Run the
rpm -e tcp-toacommand to remove the TOA kernel module.rpm -e tcp-toa[StoPPing tcp_toa]: Checking installed modules... tcp_toa installed. Checking installed tcp_toa... [OK] Uninstalling tcp_toa... [OK]
Proxy protocol
To obtain the IP address of a client by using the proxy protocol, you must configure the proxy protocol in the console. After you configure the proxy protocol, the POP establishes a TCP connection with the origin server. The proxy protocol text is transmitted before the first user payload is transmitted.
To allow NGINX to accept proxy protocol headers, add the proxy_protocol parameter to the listen directive in the server block. For more information, see Accepting the PROXY Protocol.
http {
#...
server {
listen 80 proxy_protocol;
listen 443 ssl proxy_protocol;
#...
}
}For more information about other applications that support proxy protocols, see Proxy Protocol.
If your application does not support the proxy protocol, you must extract the text lines of the proxy protocol and parse the character string to obtain the real IP address of the client after the TCP connection is established. Sample string:
PROXY TCP4 10.10.10.10 192.168.0.1 12345 80\r\nExtract the line before the line break (\n) and parse the line based on the protocol. The following code block shows how the fields are defined:
PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + "\r\n"The output of a proxy protocol text line may also contain a unique ID before \r\n. The unique ID is used for end-to-end monitoring. Ignore the ID if you do not need to use it.
"id"="xxxx"