Help Center/ Web Application Firewall/ FAQs/ Protection Event Logs/ How Does WAF Obtain the Real Client IP Address for a Request?
Updated on 2024-11-05 GMT+08:00

How Does WAF Obtain the Real Client IP Address for a Request?

This depends on which WAF access mode is used for the website.

Cloud Mode - CNAME Access and Dedicated Mode

WAF forwards requests to the backend based on protection rules. If IP address-based rules (such as blacklist and whitelist, geographical location, and IP address-based precise access rules) are configured for WAF, WAF checks the real IP addresses first and then allows or blocks the request according to the configured rules. WAF obtains real IP addresses in accordance with the following principles:

  • If you select Yes for Use Layer-7 Proxy when you add a domain name to WAF, WAF obtains the source IP address in the following sequence:
    1. The source IP header list configured in upstream is preferentially used, that is, the IP address tag configured on the basic information page of the domain name. For details, see Configuring a Traffic Identifier for a Known Attack Source. If no IP address is available, go to 2.

      If you want to use a TCP connection IP address as the client IP address, set IP Tag to remote_addr.

    2. Obtain the value of the cdn-src-ip field in the source IP header list configured in the config file. If no value is obtained, go to 3.
    3. Obtain the value of the x-real-ip field. If no value is obtained, go to 4.
    4. Obtain the first public IP address from the left of the x-forwarded-for field. If no public IP address is obtained, go to 5.
    5. Obtain the value of the remote_addr field, which includes the IP address used for establishing the TCP connection.
  • If no proxy is used, WAF obtains the source IP address from the remote_ip field.