Server Load Balancer:Preserve client IP addresses when Layer 7 listeners are used

Configure an IIS7 or IIS8 server

1. Download and decompress the F5XForwardedFor file.
2. Copy the F5XFFHttpModule.dll and F5XFFHttpModule.ini files from the x86\ or x64\ directory on your server to another directory, such as C:\F5XForwardedFor.dll\. The directory in which the files are located varies based on the operating system version. Make sure that the IIS process has read permissions on the directory.
3. Open Internet Information Services (IIS) Manager and double-click Modules.
   
4. Click Configure Native Modules, and then click Register in the dialog box that appears.
   
5. Add the downloaded .dll file.
   1. Enter a file name, select a path, and then click OK.
   2. The system automatically selects the newly registered module. Click OK.
6. Add the ISAPI and CGI restrictions for the added files and set the restrictions to Allowed.
   Note Make sure that the ISAPI and CGI applications are installed.

   
7. Restart the IIS server and wait until the configurations take effect.

Configure an Apache server

In this example, the configuration files are stored in alidata/. You can change the directory path based on the actual value in the following commands.

1. Log on to the backend server and run the following command to install the mod_rpaf module:

    sudo wget https://github.com/gnif/mod_rpaf/archive/v0.6.0.tar.gz
    sudo tar zxvf v0.6.0.tar.gz
    sudo apt-get install apache2-dev
    sudo whereis apxs2
    sudo cd mod_rpaf-0.6.0
   /alidata/server/httpd/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c 

2. Append the following content to the end of the Apache configuration file /alidata/server/httpd/conf/httpd.conf:

    LoadModule rpaf_module modules/mod_rpaf-2.0.so
    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips  <IP_address>
    RPAFheader X-Forwarded-For

   Note To obtain the proxy server IP address, add the CIDR block of the proxy server to RPAFproxy_ips <IP_address>, such as 100.64.0.0/10 (100.64.0.0/10 is reserved by Alibaba Cloud. It is not used by any user and therefore causes no security risks) of SLB and the CIDR blocks of Anti-DDoS. Separate multiple CIDR blocks with commas (,).
3. Restart Apache.

   sudo /alidata/server/httpd/bin/apachectl restart

Configure a NGINX server

In this example, the configuration files are stored in alidata/. You can change the directory path based on the actual value in the following commands.

1. Log on to the backend server and run the following command to install http_realip_module:

    sudo wget http://nginx.org/download/nginx-1.0.12.tar.gz
    sudo tar zxvf nginx-1.0.12.tar.gz
    sudo cd nginx-1.0.12
    sudo ./configure --user=www --group=www --prefix=/alidata/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module
    sudo make
    sudo make install
    sudo kill -USR2 `cat /alidata/server/nginx/logs/nginx.pid`
    sudo kill -QUIT `cat /alidata/server/nginx/logs/ nginx.pid.oldbin`

2. Run the following command to open the nginx.conf file:

   sudo vi /alidata/server/nginx/conf/nginx.conf

3. Append new fields to the end of the following content:

    fastcgi connect_timeout 300;
    fastcgi send_timeout 300;
    fastcgi read_timeout 300;
    fastcgi buffer_size 64k;
    fastcgi buffers 4 64k;
    fastcgi busy_buffers_size 128k;
    fastcgi temp_file_write_size 128k;

   The fields that need to be appended:

    set_real_ip_from IP_address;
    real_ip_header X-Forwarded-For;

   Note To obtain the proxy server IP address, add the CIDR block of the proxy server to set_real_ip_from <IP_address>, such as 100.64.0.0/10 (100.64.0.0/10 is reserved by Alibaba Cloud. It is not used by any user and therefore causes no security risks) of SLB and the CIDR blocks of Anti-DDoS. Separate multiple CIDR blocks with commas (,).
4. Run the following command to restart NGINX:

   sudo /alidata/server/nginx/sbin/nginx -s reload