When you use Global Accelerator (GA) to accelerate application services, if you need to obtain the real IP addresses of clients, you can enable the client IP address preservation feature of GA. When you use a Layer 7 listener, you can use the X-Forwarded-For
field of HTTP request headers to obtain client IP addresses. When you use a Layer 4 listener, you can automatically obtain client IP addresses or use the Proxy Protocol to obtain client IP addresses based on the type of the backend service.
Only intelligent routing listeners support client IP address preservation. By default, custom routing listeners do not support client IP address preservation. To obtain client IP addresses on custom routing listeners, contact your account manager.
HTTP or HTTPS listener
Method to obtain client IP addresses
You can use the client IP address preservation feature. By default, this feature is enabled.
GA stores the IP addresses of clients in the X-Forwarded-For
field of HTTP request headers. After you configure backend servers, the backend servers can obtain client IP addresses. The first IP address is the real IP address of a client.
X-Forwarded-For: <Client IP, Proxy Server 1-IP, Proxy Server 2-IP, ...>
Procedure
In this example, the Alibaba Cloud Linux 3 operating system and NGINX 1.20.1 are used. Adjust the configurations based on the environment that you use.
Run the command
nginx -V | grep http_realip_module
on the NGINX server to check whether the http_realip_module module is installed on the NGINX server. NGINX servers use the http_realip_module module to parse the value of X-Forwarded-For.If
--with-http_realip_module
is included in the output, it indicates that http_realip_module is installed on the NGINX server and you can proceed to the next step.NoteNGINX 1.0.4, which was released in 2011, and later support the http_realip_module module. If your NGINX version is earlier than 1.0.4, we recommend that you back up data and upgrade to a later version.
If the http_realip_module module is not installed on the NGINX server, compile and install NGINX again, and then install http_realip_module. We recommend that you use package managers such as YUM to install and manage NGINX. Packet managers simplify the process.
Modify and save the NGINX configuration file. The following code block shows an example. Run the
nginx -t
command to query the path of the configuration file, which is/etc/nginx/nginx.conf
by default. The path may vary based on the environment that you use.http { # Set the variable $http_x_forwarded_for, which is used to record the value of X-Forwarded-For. log_format main '$remote_addr- $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # ... }
Run the
sudo nginx -s reload
command to reload the NGINX configuration file.Obtain client IP addresses.
You can check the NGINX log to determine whether the backend servers can obtain client IP addresses.
Run the
tail -n <the number of log entries to be returned> <log path>
command. In the returned log, view the field corresponding to the$http_x_forwarded_for
variable. The first IP address is the source IP address of the client.In this example, the default path of the NGINX log file (
/var/log/nginx/access.log
) is used.NoteIf you enable health checks for GA, we recommend that you return multiple log entries at a time or increase the health check interval to prevent the log entries that contain client IP addresses from being overwritten by health check log entries.
TCP listener
Method to obtain client IP addresses
You can use the client IP address preservation feature. After this feature is enabled, you need to select the method to obtain client IP addresses.
The supported method varies based on the type of the backend service.
Automatic: Client IP addresses are directly passed to backend servers.
Proxy Protocol: Proxy Protocol is required for backend servers to obtain client IP addresses.
ImportantProxy Protocol l takes effect only if it is enabled on both the proxy server and backend servers. If a backend server cannot parse Proxy Protocol headers but Proxy Protocol is enabled, parsing errors may arise on the backend server and compromise service availability.
Proxy Protocol can be used by GA listeners to pass client IP addresses to backend servers. After Proxy Protocol is enabled, a TCP header is added to the request without modifying the existing headers. The TCP header contains information such as the source IP address, destination IP address, source port, and destination port.
GA supports only Proxy Protocol v1. Proxy Protocol v1 supports only TCP. For more information, see The PROXY protocol.
Backend services deployed on Alibaba Cloud
Backend service type | Client IP address preservation | Method | |
ECS | Supported. The ECS instance must be deployed in a VPC, and a security group rule must be set to allow all client IP addresses to access the ECS instance. |
| |
ALB | Not supported. | N/A | |
NLB | Supported. |
| |
CLB | Supported. A security group rule is set to allow all client IP addresses to access the CLB backend server. In the following scenarios, the backend servers cannot obtain client IP addresses:
|
| |
OSS | Not supported. | N/A | |
ENI | Supported. A security group rule is set to allow all client IP addresses to access the ENI. |
| |
Custom private IP address | Supported. | Proxy Protocol | |
Alibaba Cloud public IP address Warning If the endpoint is an Alibaba Cloud public IP address and if the public IP address is disassociated from the original instance and associated with another instance, client IP address preservation may fail and the traffic may be interrupted. To restore the client IP address preservation feature of the endpoint, you can delete and re-add the endpoint, or contact your account manager. | Associated with an ECS instance in a VPC | Supported. |
|
Associated with an NLB instance | Supported. |
| |
Associated with an ALB instance | Not supported. | N/A | |
Associated with a CLB instance | Supported. |
| |
Associate with an ENI | Supported. |
| |
Associate with an Internet NAT gateway | Supported. | Proxy Protocol |
Backend services not deployed on Alibaba Cloud
Backend service type | Client IP address preservation | Method |
Custom public IP address | Supported. | Proxy Protocol |
Custom domain name | Supported. |
If a client uses an IPv6 address to access a backend IPv4 service, you must use Proxy Protocol to obtain client IP addresses.
Procedure
In this example, the Alibaba Cloud Linux 3 operating system and NGINX 1.20.1 are used. Adjust the configurations based on the environment that you use.
Automatically obtained
Enable client IP address preservation.
Log on to the GA console.
On the Instances page, find the GA instance that you want to manage and click Configure Listener in the Actions column.
On the Listeners tab, find the TCP listener that you want to manage and click Mod Lsnr in the Actions column.
In the Configure Listener & Protocol step, click Next.
In the Configure Endpoint Group step, select Preserve from the Preserve Client IP drop-down list and click Next.
If backend services are deployed on Alibaba Cloud, Retrieve Client IP is set to Automatically Retrieve Client IP by default.
In the Configuration Review step, confirm the configurations and click Submit.
View the configuration file of the NGINX service.
Run the
nginx -t
command to query the path of the configuration file. In most cases, the path of the configuration file is/etc/nginx/nginx.conf
. The path may vary based on the environment that you use.NoteIf the backend service needs to process only HTTP and HTTPS traffic, make sure that the NGINX server supports the
http{}
module. If the backend service also needs to process TCP traffic, make sure that the NGINX server supports thestream{}
module.The
stream{}
module is added in NGINX 1.9.0 and later. However, this module is not installed by default. You must compile and install thestream{}
module.# Process HTTP traffic. http { # Default configurations log_format main '$remote_addr- $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; # Port 80 is used in this example. server { listen 80; #... } } # Process TCP traffic (This module can be added as needed) stream { log_format main_stream '$remote_addr - [$time_local] ' '"$protocol" $status $bytes_sent $bytes_received ' '"$session_time"'; access_log /var/log/nginx/stream_access.log main_stream; # Port 4000 is used in this example. server { listen 4000; #... } }
Obtain client IP addresses.
Method 1: You can check the NGINX log to determine whether the backend servers can obtain client IP addresses.
Run the
tail -n <the number of returned logs> <log path>
command. In the returned log, check the first IP address (the field corresponding to the$remote_addr
variable), which is the source IP address of the client.HTTP traffic:
In this example, the log file path is
/var/log/nginx/access.log
.TCP traffic:
In this example, the log file path is
/var/log/nginx/stream_access.log
.
Method 2: You can capture data packets to determine whether the client IP addresses are obtained.
Run the
tcpdump tcp port [listener port] -n -X -s 0
command to view client IP addresses in the captured packets.
Use Proxy Protocol
Enable client IP address preservation.
Log on to the GA console.
On the Instances page, find the GA instance that you want to manage and click Configure Listener in the Actions column.
On the Listeners tab, find the TCP listener that you want to manage and click Mod Lsnr in the Actions column.
In the Configure Listener & Protocol step, click Next.
In the Configure Endpoint Group step, select Preserve from the Preserve Client IP drop-down list, and then click Next.
If backend services are not deployed on Alibaba Cloud, Retrieve Client IP is set to Proxy Protocol by default.
In the Configuration Review step, confirm the configurations and click Submit.
Modify and save the NGINX configuration file. The following code block shows an example.
Run the
nginx -t
command to query the path of the configuration file, which is/etc/nginx/nginx.conf
by default. The path may vary based on the environment that you use.NoteIf the backend service needs to process only HTTP and HTTPS traffic, make sure that the NGINX server supports the
http{}
module. If the backend service also needs to process TCP traffic, make sure that the NGINX server supports thestream{}
module.The
stream{}
module is added in NGINX 1.9.0 and later. However, this module is not installed by default. You must compile and install thestream{}
module.# Process HTTP traffic. http { # Make sure that you add the $proxy_protocol_addr variable to log_format in the http{} module to preserve client IP addresses. log_format main '$proxy_protocol_addr - $remote_addr- $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; # Use port 80 and enable the parsing of Proxy Protocol. server { listen 80 proxy_protocol; #... } } # Process TCP traffic (This module can be added as needed) stream { # Make sure that you add the $proxy_protocol_addr variable to log_format in the stream{} module to preserve client IP addresses. log_format main_stream '$proxy_protocol_addr - $remote_addr - $protocol [$time_local] ' '$status $bytes_sent $bytes_received $session_time'; access_log /var/log/nginx/stream_access.log main_stream; # Use port 12345 and enable the parsing of Proxy Protocol. server { listen 12345 proxy_protocol; #... } }
Run the
sudo nginx -s reload
command to reload the NGINX configuration file.Obtain client IP addresses.
You can check the NGINX log to determine whether the backend servers can obtain client IP addresses.
Run the
tail -n <the number of log entries to be returned> <log path>
command. In the returned log, view the IP address in the$proxy_protocol_addr
variable, which is the client IP address.HTTP traffic:
In this example, the log file path is
/var/log/nginx/access.log
.TCP traffic:
In this example, the log file path is
/var/log/nginx/stream_access.log
.
UDP listener
Method to obtain client IP addresses
You can use the client IP address preservation feature. After this feature is enabled, only the automatic retrieval method is supported by default. GA directly passes client IP addresses to backend servers.
To enable client IP address preservation for UDP listeners, take note of the following limits:
Only pay-as-you-go GA instances allow you to enable client IP address preservation for UDP listeners.
If your pay-as-you-go GA instance does not support client IP address preservation for UDP listeners, the instance may use an earlier version. Contact your account manager to upgrade your GA instance.
The backend service type must be NLB, ECS, or ENI. By default, client IP address preservation is not supported by backend services of the NLB type. To use this feature, contact your account manager.
You can obtain only IP addresses of IPv4 clients.
Procedure
In this example, the Alibaba Cloud Linux 3 operating system and NGINX 1.20.1 are used. Adjust the configurations based on the environment that you use.
Enable client IP address preservation.
Log on to the GA console.
On the Instances page, find the GA instance that you want to manage and click Configure Listener in the Actions column.
On the Listeners tab, find the UDP listener that you want to manage and click Mod Lsnr in the Actions column.
In the Configure Listener & Protocol step, click Next.
In the Configure Endpoint Group step, select Preserve from the Preserve Client IP drop-down list, and then click Next.
Retrieve Client IP Address is set to Automatically Retrieve Client IP by default.
In the Configuration Review step, confirm the configurations and click Submit.
View the configuration file of the NGINX service.
Run the
nginx -t
command to query the path of the configuration file. In most cases, the path of the configuration file is/etc/nginx/nginx.conf
. The path may vary based on the environment that you use.NoteIf you want the backend service to process UDP traffic, make sure that the NGINX server supports the
stream{}
module.The
stream{}
module is added in NGINX 1.9.0 and later. However, this module is not installed by default. You must compile and install thestream{}
module.#... # Process UDP traffic. Make sure that this module is added. stream { log_format main_stream '$remote_addr - [$time_local] ' '"$protocol" $status $bytes_sent $bytes_received ' '"$session_time"'; access_log /var/log/nginx/stream_access.log main_stream; # Port 4000 is used in this example. server { listen 4000 udp; #... } }
Obtain client IP addresses.
Method 1: You can check the NGINX log to determine whether the backend servers can obtain client IP addresses.
Run the
tail -n <the number of log entries to be returned> <log path>
command. In the returned log, view the field corresponding to the$remote_addr
variable. The first IP address is the source IP address of the client.In this example, the log file path is
/var/log/nginx/stream_access.log
.Method 2: You can capture data packets to determine whether the client IP addresses are obtained.
Run the
tcpdump udp port [listener port] -n -X -s 0
command to view client IP addresses in the captured packets.
FAQ
Why do the backend servers fail to obtain client IP addresses after I enable client IP address preservation?
If you use an HTTP or HTTPS listener and the backend server cannot record or process the
X-Forwarded-For
header, client IP address preservation does not take effect.If you use a TCP listener:
If the backend service is deployed on Alibaba Cloud but the backend servers are not deployed in a virtual private cloud (VPC) or the elastic IP address (EIP) is not associated with an instance of the VPC type, the backend servers cannot preserve client IP addresses.
If the backend service is deployed outside Alibaba Cloud, the backend servers must support the Proxy Protocol so that they can preserve client IP addresses.
This is because GA uses Proxy Protocol to preserve client IP addresses after you enable client IP address preservation. Therefore, you must make sure that the backend servers support Proxy Protocol. Otherwise, the backend servers cannot parse the Proxy Protocol header.
If the client uses an IPv6 address to access an IPv4 backend service, the backend servers must support Proxy Protocol. Otherwise, the backend servers cannot preserve client IP addresses.
If you use a UDP listener and the client uses an IPv6 address to access an IPv4 backend service, client IP address preservation does not take effect.
How do I disable client IP address preservation?
For HTTP listeners and HTTPS listeners, client IP address preservation is automatically enabled and cannot be disabled.
For TCP and UDP listeners, you can disable client IP address preservation in the GA console. Perform the following steps:
On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
On the Listeners tab, find the listener that you want to manage and click Mod Lsnr in the Actions column.
In the Configure Listener & Protocol step, click Next.
In the Configure Endpoint Group step, set Preserve Client IP to Do Not Preserve and click Next.
In the Configuration Review step, confirm the information and click Submit.
How do I obtain client IP addresses when IPv6 clients access IPv4 services of GA?
HTTP and HTTPS listeners obtain the client IP addresses of IPv6 and IPv4 clients by using the
X-Forwarded-For
HTTP header.TCP listeners obtain the client IP addresses of IPv6 clients by using Proxy Protocol. This method requires that the backend servers support Proxy Protocol. Otherwise, access may fail.
UDP listeners cannot obtain the client IP addresses of IPv6 clients.
References
Documentation about the console
You can also use the access log feature of GA to obtain the IP addresses of clients. After you create access logs for an endpoint group, the collected access logs are delivered to the Logstore in the region where the endpoint group resides. On the Raw Logs tab of the Logstore page, view the client IP address in the client_ip field.
For more information about how to configure an endpoint group, see Endpoint groups and endpoints and Add and manage endpoint groups for intelligent routing listeners.
API references
When you call the following API operations, you can use the EnableClientIPPreservation
and EnableProxyProtocol
parameters to configure the method used to obtain client IP addresses: