All Products
Search

This Product

    Web Application Firewall:Retrieve the originating IP addresses of clients

    Document Center

    Web Application Firewall:Retrieve the originating IP addresses of clients

    Last Updated:Nov 18, 2024

    After a website is added to Web Application Firewall (WAF), WAF filters access requests to the website and then forwards normal requests to the origin server. The origin server can use the X-Forwarded-For header in back-to-origin requests to retrieve the originating IP addresses of clients. This topic describes how to configure web application servers and Kubernetes containers to retrieve the originating IP addresses of clients. Web application servers include NGINX, IIS 6, IIS 7, Apache, and Tomcat servers.

    Background information

    The X-Forwarded-For header is used to record the originating IP addresses of clients. WAF adds X-Forwarded-For as an HTTP request header before forwarding the access requests to the next-hop server. The header is in the X-Forwarded-For:Client IP address format. If access requests pass through multiple intermediate proxy servers such as WAF, Anti-DDoS Proxy, and Alibaba Cloud CDN, the X-Forwarded-For header records the originating IP addresses of clients and the IP addresses of the intermediate proxy servers. The header records multiple IP addresses that are separated by commas (,). Example: X-Forwarded-For:Client IP address, IP address of Proxy Server 1, IP address of Proxy Server 2, IP address of Proxy Server 3, ….

    Therefore, common web application servers and Kubernetes containers can use the X-Forwarded-For header to retrieve the originating IP addresses of clients.

    The following section describes how to configure the X-Forwarded-For header on NGINX, IIS 6, IIS 7, Apache, and Tomcat servers and Kubernetes containers.

    Important

    Before you start, make sure that the existing environment is backed up, including the Elastic Compute Service (ECS) instance snapshots and the configuration files of web application servers.

    Configure NGINX servers

    NGINX servers use the http_realip_module module to retrieve the originating IP addresses of clients. To install the http_realip_module module and modify the NGINX configuration file, perform the following steps:

    1. Install the http_realip_module module.

      Run the nginx -V | grep http_realip_module command on the NGINX server to check whether the module is installed.

      • If the module is installed, skip this step.

      • If the module is not installed, recompile NGINX and install the module.

        Note

        If NGINX is installed by using a quick installation package, this module is not installed. 

        wget http://nginx.org/download/nginx-1.12.2.tar.gz
tar zxvf nginx-1.12.2.tar.gz
cd nginx-1.12.2
./configure --user=www --group=www --prefix=/alidata/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module
make
make install
kill -USR2 `cat /alidata/server/nginx/logs/nginx.pid`
kill -QUIT `cat /alidata/server/nginx/logs/nginx.pid.oldbin`

    2. Modify the NGINX configuration file.

      1. Open the nginx.conf configuration file.

      2. Add the following content to http {}:

        http {
  # Specify the IP addresses from which you can receive the originating IP addresses of clients
  set_real_ip_from    <ip_range1>;    
  set_real_ip_from    <ip_range2>;   
  ...
  set_real_ip_from    <ip_rangex>;
  # Specify the HTTP header for the IP addresses of clients
  real_ip_header      X-Forwarded-For;
}

        <ip_range1>, <ip_range2>, and <ip_rangex> in the configuration specify the back-to-origin CIDR blocks of WAF. To obtain all the back-to-origin CIDR blocks of WAF, perform the following steps: Log on to the WAF console and select the resource group and region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region. In the left-side navigation pane, click Website Configuration. On the CNAME Record tab, click Back-to-origin CIDR Blocks.

        If multiple back-to-origin CIDR blocks are involved, you must add all of them and each must be in a separate line. For example, if the back-to-origin CIDR blocks of WAF include 10.10.10.0/24, 11.11.XX.X/25, and 2.13.XX.XX/27, add the following content to http {}:

        set_real_ip_from 10.10.10.0/24;
set_real_ip_from 11.11.XX.X/25;
set_real_ip_from 2.13.XX.XX/27;
real_ip_header X-Forwarded-For;

        You can use the following script to convert the copied back-to-origin IPv4 CIDR blocks into the set_real_ip_from <ip_rangeX> format.

        import re
def format_ip_ranges(ip_ranges_str):
    # Use a regular expression to match all CIDR blocks
    ip_pattern = re.compile(r'\d+\.\d+\.\d+\.\d+/\d\d')
    ip_list = ip_pattern.findall(ip_ranges_str)
    formatted_ips = [f"    set_real_ip_from {ip};" for ip in ip_list]
    output = "\n".join(formatted_ips)
    return output

ip_ranges_str = "Back-to-origin CIDR blocks of WAF in string format"
formatted_output = format_ip_ranges(ip_ranges_str)
print(formatted_output)

    3. Change the log format.

      1. Open the nginx.conf configuration file and find log_format in the HTTP configuration.

      2. In log_format, replace the remote-address field with the x-forwarded-for field.

        The following content shows the log format after change: 

        log_format  main  '$http_x_forwarded_for - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" ';

    4. Run the nginx -s reload command to restart NGINX.

    5. Check whether the configuration takes effect.

      1. Run the following curl command to simulate a request:

        curl -H "X-Forwarded-For: 1.2.3.4" http://example.com

      2. Run the following command to check the NGINX access logs and confirm whether the client IP addresses are retrieved:

        tail -f access.log

    Configure IIS 6 servers

    Internet Information Services (IIS) 6 servers use the F5XForwardedFor module to retrieve the originating IP addresses of clients. To install the F5XForwardedFor module, perform the following steps:

    1. Copy the F5XForwardedFor.dll file from the x86\Release or x64\Release directory to a custom directory such as C:\ISAPIFilters\x86 or C:\ISAPIFilters\x64.

      Note

      • Make sure that the IIS process has read and write permissions on the custom directory.

      • If the F5XForwardedFor.dll file does not exist in the x86\Release or x64\Release directory, click F5XForwardedFor.dll to download and copy the file to the custom directory.

    2. Open IIS Manager, find the website, right-click the website, and then select Properties.

    3. On the ISAPI Filters tab, click Add. Configure the following parameters and click OK.

      In this example, a server that runs a 32-bit operating system is used.

      • Filter name: Enter x_forwarded_for_x86.

      • Executable: Enter the full path of the F5XForwardedFor.dll file. Example: C:\ISAPIFilters\x86\F5XForwardedFor.dll.

    4. Restart IIS 6 for the configurations to take effect.

    Configure IIS 7 servers

    IIS 7 servers use the F5XForwardedFor module to retrieve the originating IP addresses of clients. To install the F5XForwardedFor module, perform the following steps:

    1. Copy the F5XFFHttpModule.dll and F5XFFHttpModule.ini files from the x86\Release or x64\Release directory to a custom directory, such as C:\x_forwarded_for\x86 or C:\x_forwarded_for\x64.

      Note

      • Make sure that the IIS process has read and write permissions on the custom directory.

      • If the F5XForwardedFor.dll and F5XFFHttpModule.ini files do not exist in the x86\Release or x64\Release directory, click F5XForwardedFor to download the files.

    2. Open IIS Manager and double-click Module in the IIS Server section.

    3. On the Module page, click Configure Local Module in the Actions section on the right side.

    4. In the Configure Local Module dialog box, click Register. Configure the following parameters and click OK.

      In this example, a server that runs a 32-bit operating system is used.

      • Name: Enter x_forwarded_for_x86.

      • Path: Enter the full path of the F5XFFHttpModule.dll file. Example: C:\x_forwarded_for\x86\F5XFFHttpModule.dll.

    5. In the Configure Local Module dialog box, select the newly registered module and click OK.

    6. In the ISAPI and CGI Restrictions section, add the registered DLL file and set Restriction to Allow.

    7. Restart IIS 7 for the configurations to take effect.

    Configure Apache servers

    Configure Apache servers in Windows

    The installation packages of Apache 2.4 and later versions provide the remoteip_module module file named mod_remoteip.so. You can use this module to retrieve the originating IP addresses of clients.

    1. In the extra configuration folder of Apache (conf/extra/), create a configuration file named httpd-remoteip.conf.

      Note

      You can import the remoteip.conf configuration file to load the related configurations. This reduces the number of times that you modify the httpd.conf file and prevents service exceptions due to misoperations.

    2. Add the following content to the httpd-remoteip.conf configuration file:

      # Load the mod_remoteip.so module
LoadModule remoteip_module modules/mod_remoteip.so
# Configure the RemoteIPHeader header
RemoteIPHeader X-Forwarded-For
# Specify the back-to-origin CIDR blocks
RemoteIPInternalProxy <ip_range1> <ip_range2> ... <ip_rangex>

      <ip_range1>, <ip_range2>, and <ip_rangex> in the configuration specify the back-to-origin CIDR blocks of WAF. To obtain all the back-to-origin CIDR blocks of WAF, perform the following steps: Log on to the WAF console and select the resource group and region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region. In the left-side navigation pane, click Website Configuration. On the CNAME Record tab, click Back-to-origin CIDR Blocks.

      Separate multiple back-to-origin CIDR blocks with spaces. For example, if the back-to-origin CIDR blocks of the proxy servers include 10.0.0.1, 10.0.0.2, and 10.0.0.3, specify the CIDR blocks in the following format: 

      RemoteIPInternalProxy 10.0.0.1 10.0.0.2 10.0.0.3

    3. Add the following content to the conf/httpd.conf configuration file:

      Include conf/extra/httpd-remoteip.conf

      The preceding configuration specifies that the content of the httpd-remoteip.conf configuration file is inserted into conf/httpd.conf.

    4. Change the log format in the httpd.conf configuration file. 

      LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %b" common

    5. Restart Apache for the configurations to take effect.

    Configure Apache servers in Linux

    Perform the preceding steps to add the remoteip_module module (mod_remoteip.so) and configure the log format to retrieve the originating IP addresses of clients. The remoteip_module is a built-in module of Apache 2.4 and later versions.

    If the version of Apache is earlier than 2.4, install the third-party module named mod_rpaf to retrieve the originating IP addresses of clients.

    1. Install the mod_rpaf module. 

      wget https://github.com/gnif/mod_rpaf/archive/v0.6.0.tar.gz
tar zxvf mod_rpaf-0.6.tar.gz
cd mod_rpaf-0.6
/alidata/server/httpd/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

    2. Append the following content to the /alidata/server/httpd/conf/httpd.conf configuration file of Apache:

      LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips <rpaf IP address>
RPAFheader X-Forwarded-For

      <rpaf IP address> in the configuration is the IP address of the mod_rpaf module. You can query the IP address in Apache logs. Do not use the public IP addresses of proxy servers. In most cases, two IP addresses are included. Example:

      LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 10.XX.XX.65 10.XX.XX.131
RPAFheader X-Forwarded-For

    3. Restart Apache for the configurations to take effect. 

      /alidata/server/httpd/bin/apachectl restart

    For more information about the Apache modules, see Apache help documentation.

    Configure Tomcat servers

    Tomcat servers use the X-Forwarded-For header to retrieve the originating IP addresses of clients.

    1. Open the tomcat/conf/server.xml configuration file.

    2. Modify the AccessLogValve logging feature based on the following configuration:

      <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%{X-FORWARDED-FOR}i %l %u %t %r %s %b %D %q %{User-Agent}i %T" resolveHosts="false"/>

    Configure Kubernetes containers

    If your service is deployed on a Kubernetes container, Kubernetes records the originating IP addresses of clients in the X-Original-Forwarded-For field and the back-to-origin CIDR blocks of WAF in the X-Forwarded-For field. To obtain the originating IP addresses of clients, you must modify the container configuration file and enable an Ingress controller to add the IP addresses to the X-Forwarded-For field.

    To modify the container configuration file, perform the following steps:

    1. Run the following command to modify the kube-system/nginx-configuration configuration file: 

      kubectl -n kube-system edit cm nginx-configuration

    2. Add the following content to the configuration file:

      compute-full-forwarded-for: "true"
forwarded-for-header: "X-Forwarded-For"
use-forwarded-headers: "true"

    3. Save the configuration file.

      The configurations take effect immediately after you save the configuration file. Then, the Ingress controller adds the originating IP addresses of clients to the X-Forwarded-For field.

    4. Replace the field that is used to obtain the originating IP addresses of clients with the X-Original-Forwarded-For field.