This document describes how to obtain the real IP addresses of access requests to your origin after you enable Anti-DDoS Pro for the origin.
Select and apply the method best suitable for your origin to get the clients’ IP addresses, based on different architecture.
The TCP port requires no modifications. IP addresses obtained by the origin server are the clients’ real IP addresses. The ECS security group’s configuration is also targeted on the clients’ real IP addresses.
Note: If the UDP port is used to forward requests, then the origin ECS cannot get the real IP address.
Using this architecture cannot obtain the clients’ real IP addresses. IP addresses obtained by ECS are Anti-DDoS Pro’s back-to-source IP addresses.
This architecture is partially supported. For more information, see How can origins outside Alibaba Cloud get the clients’ real source IP addresses.
When a layer-7 proxy server (such as Anti-DDoS Pro) forwards users’ access requests to the backend server, the origin retrieves the back-to-Source IP addresses of this layer-7 proxy server (such as Anti-DDoS Pro). The client’s real IP address is placed into the HTTP header’s X-Forwarded-For field by the layer-7 proxy server. The format is as follows:
X-Forwarded-For: Visitor’s real IP address, Anti-DDoS Pro IP address.
If more than one proxy server is adopted (for example, the requests pass through WAF, CDN, and other proxy servers), format of the HTTP header’s X-Forwarded-For field is as follows:
X-Forwarded-For: Visitor’s real IP address, Proxy 1-IP address, Proxy 2-IP address, Proxy 3-IP address....
The visitor’s real IP address is placed at the first position, followed by all intermediate proxy servers’ IP addresses. Therefore, the origin can obtain a visitor’s real IP address from the HTTP header’s X-Forwarded-For field.
After retrieving the HTTP header’s X-Forwarded-For field, use “,” as the delimiter to capture the first IP address, which is the client’s real IP address.
For more information about the corresponding X-Forwarded-For configuration methods for the Nginx, IIS 6, IIS 7, Apache, and Tomcat servers, see Obtain real IP addresses of visitors.