edit-icon download-icon

Obtain the real IP address of a visitor

Last Updated: Feb 07, 2018

This document describes how to obtain the real IP addresses of access requests to your origin after you enable Anti-DDoS Pro for the origin.

Non-Web Service (Layer-4 access)

Select and apply the method best suitable for your origin to get the clients’ IP addresses, based on different architecture.

Anti-DDoS Pro > Alibaba Cloud ECS

The TCP port requires no modifications. IP addresses obtained by the origin server are the clients’ real IP addresses. The ECS security group’s configuration is also targeted on the clients’ real IP addresses.

Note: If the UDP port is used to forward requests, then the origin ECS cannot get the real IP address.

Anti-DDoS Pro > SLB > ECS

Using this architecture cannot obtain the clients’ real IP addresses. IP addresses obtained by ECS are Anti-DDoS Pro’s back-to-source IP addresses.

Anti-DDoS Pro > Non-Alibaba Cloud server

This architecture is partially supported. For more information, see How can origins outside Alibaba Cloud get the clients’ real source IP addresses.

Web service (Layer-7 access)

When a layer-7 proxy server (such as Anti-DDoS Pro) forwards users’ access requests to the backend server, the origin retrieves the back-to-Source IP addresses of this layer-7 proxy server (such as Anti-DDoS Pro). The client’s real IP address is placed into the HTTP header’s X-Forwarded-For field by the layer-7 proxy server. The format is as follows: X-Forwarded-For: Visitor’s real IP address, Anti-DDoS Pro IP address.

If more than one proxy server is adopted (for example, the requests pass through WAF, CDN, and other proxy servers), format of the HTTP header’s X-Forwarded-For field is as follows: X-Forwarded-For: Visitor’s real IP address, Proxy 1-IP address, Proxy 2-IP address, Proxy 3-IP address....

The visitor’s real IP address is placed at the first position, followed by all intermediate proxy servers’ IP addresses. Therefore, the origin can obtain a visitor’s real IP address from the HTTP header’s X-Forwarded-For field.

Common methods for retrieving the X-Forwarded-For field

  • ASP

    1. Request.ServerVariables(“HTTP_X_FORWARDED_FOR”)
  • ASP.NET(C#)

    1. Request.ServerVariables[“HTTP_X_FORWARDED_FOR”]
  • PHP

    1. `$_SERVER[“HTTP_X_FORWARDED_FOR”]
  • JSP

    1. request.getHeader(“HTTP_X_FORWARDED_FOR”)

After retrieving the HTTP header’s X-Forwarded-For field, use “,” as the delimiter to capture the first IP address, which is the client’s real IP address.

More references

For more information about the corresponding X-Forwarded-For configuration methods for the Nginx, IIS 6, IIS 7, Apache, and Tomcat servers, see Obtain real IP addresses of visitors.

Thank you! We've received your feedback.