Global Accelerator (GA) supports the client IP address preservation feature. After you enable this feature, you can view preserved client IP addresses on backend servers. This topic describes how to enable client IP address preservation in different scenarios and view preserved client IP addresses on backend servers.

Prerequisites

A listener is created for your GA instance. For more information, see Add and manage listeners.

Background information

By default, after GA forwards a request to a backend server, the backend server can retrieve only the IP address of the endpoint group to which the backend server belongs. The backend server cannot retrieve the IP address of the client that sends the request. If you want the backend server to retrieve the IP address of the client, you must enable client IP address preservation for the GA instance. Whether a GA instance supports client IP address preservation depends on the protocol that is used by the listener of the GA instance.

  • HTTP and HTTPS: support client IP address preservation. The IP address of a client is preserved in the X-Forwarded-For HTTP header. A backend server retrieves the IP address of the client from the X-Forwarded-For HTTP header.
  • UDP: does not support client IP address preservation.
  • TCP: supports client IP address preservation. You may need to modify the configurations of backend servers based on the type of backend service so that the backend servers can retrieve client IP addresses. The following table describes how to configure backend servers.
    Backend service location Backend service type Client IP address preservation Whether to modify the configurations of the backend servers
    Alibaba Cloud Alibaba Cloud public IP addresses Supported No

    After you enable client IP address preservation, the backend servers can retrieve client IP addresses. You do not need to modify the configurations of the backend servers.

    Elastic Compute Service (ECS) instances Supported
    Classic Load Balancer (CLB) instances Supported
    In the following scenarios, the backend servers cannot retrieve client IP addresses:
    • The backend servers of the CLB instance are ECS instances that are deployed in classic networks.
    • The HTTP or HTTPS protocol is used for the listeners of the CLB instance.
    Application Load Balancer (ALB) instances Supported
    Object Storage Service (OSS) buckets Not supported
    Outside Alibaba Cloud Custom IP addresses Supported Yes

    After you enable client IP address preservation, GA uses Proxy Protocol to preserve client IP addresses. Therefore, the backend servers must support Proxy Protocol.

    Notice If the backend servers do not support Proxy Protocol, the backend servers cannot parse the Proxy Protocol headers in the requests.
    Custom domain names Supported
Note

Proxy Protocol is an Internet protocol that allows you to add a Proxy Protocol header to a TCP packet and include the client IP address in the request.

When Proxy Protocol is used, a backend server starts to process data only after it receives a complete and valid Proxy Protocol header. Therefore, a listener cannot forward both requests that contain the Proxy Protocol header and requests that do not contain the Proxy Protocol header to the same backend server port. If the first data packet that arrives at the backend server does not comply with the Proxy Protocol format, the backend server closes the connection to the client.

Enable client IP address preservation when an HTTP or HTTPS listener is used to distribute requests

After you enable client IP address preservation for an HTTP or HTTPS listener, backend servers can retrieve client IP addresses from the X-Forwarded-For HTTP header by default.

  1. Enable client IP address preservation.
    By default, client IP address preservation is enabled for HTTP and HTTPS listeners. GA preserves the IP address of a client in the X-Forwarded-For HTTP header before GA forwards the request to a backend server. After the backend server receives the request, you can retrieve the client IP address from the X-Forwarded-For HTTP header.
  2. Retrieve the IP address of a client.

    The following example shows the format of the X-Forwarded-For HTTP header. The first IP address is the IP address of a client. 

    X-Forwarded-For: client IP address, IP address of Proxy Server 1, IP address of Proxy Server 2,...

Enable client IP address preservation when a TCP listener is used to distribute requests to backend servers on Alibaba Cloud

If your GA instance uses a TCP listener and the backend servers are deployed on Alibaba Cloud, you can enable client IP address preservation without making additional changes.

  1. Enable client IP address preservation.
    1. Log on to the GA console.
    2. On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
    3. On the Listeners tab, find the listener and click Modify in the Actions column.
    4. On the Configure Listener & Protocol wizard page, click Next.
    5. On the Configure Endpoint Group wizard page, turn on Preserve Client IP and click Next.

      If backend services are deployed on Alibaba Cloud, Retrieve Client IP is set to Automatically Retrieve Client IP by default.

      Enable client IP address preservation
      • Automatically Retrieve Client IP: If backend services are accessed by IPv4 clients, we recommend that you select this option. In this mode, client IP addresses are automatically retrieved. You do not need to configure backend services. If backend services are not deployed on Alibaba Cloud, you cannot select this option.
      • ProxyProtocol: If backend services are accessed by IPv6 clients, we recommend that you select this option. In this mode, the client IP addresses can be retrieved only if the backend servers support Proxy Protocol.

      For more information, see Background information

    6. On the Confirm wizard page, confirm the information and click Submit.
  2. Retrieve the IP address of a client.
    This example shows how to view a preserved client IP address on an ECS instance that runs Linux.
    1. Log on to the ECS instance that runs Linux.
    2. Run the following command to capture an HTTP request: 
      tcpdump tcp port [listener port] -n -X -s 0
    3. Check the client IP address in the captured request.
      The result shows that the client IP address is preserved and can be viewed on the backend server. Check whether the backend server has retrieved the client IP address after you enable client IP address preservation
      If client IP address preservation is disabled, you can view only the IP address of the endpoint group to which the backend server belongs. Client IP address preservation is disabled

Enable client IP address preservation when a TCP listener is used to distribute requests to backend servers outside Alibaba Cloud

To enable client IP address preservation for a TCP listener that is associated with backend servers deployed outside Alibaba Cloud, you must ensure that the backend servers support Proxy Protocol. In this section, an NGINX server is used as an example to describe how to parse the Proxy Protocol header and then retrieve a client IP address.

  1. Enable client IP address preservation.
    1. Log on to the GA console.
    2. On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
    3. On the Listeners tab, find the listener and click Modify in the Actions column.
    4. On the Configure Listener & Protocol wizard page, click Next.
    5. On the Configure Endpoint Group wizard page, turn on Preserve Client IP and click Next.

      If backend services are not deployed on Alibaba Cloud, Retrieve Client IP is set to ProxyProtocol by default.

      Enable client IP address preservation
      • Automatically Retrieve Client IP: If backend services are accessed by IPv4 clients, we recommend that you select this option. In this mode, client IP addresses are automatically retrieved. You do not need to configure backend services. If backend services are not deployed on Alibaba Cloud, you cannot select this option.
      • ProxyProtocol: If backend services are accessed by IPv6 clients, we recommend that you select this option. In this mode, the client IP addresses can be retrieved only if the backend servers support Proxy Protocol.

      For more information, see Background information

    6. On the Confirm wizard page, confirm the information and click Submit.
  2. Configure the NGINX server to accept the Proxy Protocol header.
    Both the http{} and stream{} modules of NGINX can accept the Proxy Protocol header. You can specify a port to accept the Proxy Protocol header in the http{} or stream{} module. 
    http {
    #...
    server {
        listen 8080 proxy_protocol;    # Accept and parse the Proxy Protocol header on port 8080. 
        #...
    }
}
   
stream {
    #...
    server {
        listen 1235 proxy_protocol;    # Accept and parse the Proxy Protocol header on port 1235. 
        #...
    }
}
  3. Retrieve the IP address of a client.
    After a request is received on the specified port, NGINX parses the Proxy Protocol header in the request and preserves the client IP address in the proxy_protocol_addr variable. Therefore, you can use one of the following methods to retrieve the IP address of the client:
    • If an HTTP request is received, you can preserve the client IP address in the following HTTP request header:
      http {
    proxy_set_header X-Real-IP       $proxy_protocol_addr;
    proxy_set_header X-Forwarded-For $proxy_protocol_addr;
}

      The backend server can retrieve the client IP address from the X-Forwarded-For HTTP header field. The first IP address in the HTTP header field is the IP address of the client. 

      X-Forwarded-For: client IP address, IP address of Proxy Server 1, IP address of Proxy Server 2,...
    • If an HTTP request or a TCP packet is received, you can preserve the client IP address in a flow log. The backend server can retrieve the client IP address from the flow log.
      1. Modify log_format in the http{} or stream{} module to preserve the client IP address in a flow log. 
        
http {
    #...
    log_format combined '$proxy_protocol_addr - $remote_user [$time_local] ' ## Add the proxy_protocol_addr variable to log_format in the http{} module. The client IP address is preserved in the proxy_protocol_addr variable. 
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent"';
}
#...
stream {
    #...
    log_format basic '$proxy_protocol_addr - [$time_local] '                 ## Add the proxy_protocol_addr variable to log_format in the stream{} module. The client IP address is preserved in the proxy_protocol_addr variable. 
                      '$protocol $status $bytes_sent $bytes_received '
                      '$session_time';
}
      2. Run the following command to query the flow log and retrieve the client IP address:

        tail -n -5 <Path of the flow log>

    The following code block is a complete example on how to use Proxy Protocol to preserve client IP addresses: 

    worker_processes  4;
events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$proxy_protocol_addr $remote_addr - $remote_user [$time_local] "$request" '## Add the proxy_protocol_addr variable to log_format in the http{} module. The client IP address is preserved in the proxy_protocol_addr variable. 
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    sendfile        on;
    keepalive_timeout  65;

    upstream backend {
        server 192.XX.XX.36:8080;
        server 192.XX.XX.37:8080;
        keepalive 2000;
    }

    server {
        listen       80 proxy_protocol;                          ## Accept and parse the Proxy Protocol header on port 80. 
        server_name  example.com;

        proxy_set_header X-Real-IP       $proxy_protocol_addr;   ## Preserve the client IP address in the HTTP header field before the request is sent to a backend server. 
        proxy_set_header X-Forwarded-For $proxy_protocol_addr;   

        access_log  /var/log/nginx/access.log  main;

        location / {
            proxy_pass http://backend;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
        }
    }
}

stream {
    log_format tcp_basic '$proxy_protocol_addr - [$time_local] '  ## Add the proxy_protocol_addr variable to log_format in the stream{} module. The client IP address is preserved in the proxy_protocol_addr variable. 
                      '$protocol $status $bytes_sent $bytes_received '
                      '$session_time';
    upstream stream_backend {
        server 192.XX.XX.36:2003;
        server 192.XX.XX.37:2003;
    }

    server {
        listen 1234 proxy_protocol;                               ## Accept and parse the Proxy Protocol header on port 1234. 
        access_log  /var/log/nginx/access_tcp.log  tcp_basic;   
        proxy_pass stream_backend;
    }
}

    Query the flow log. The first IP address in the flow log is the IP address of the client.

    Preserve client IP addresses-View the flow log