How Does WAF Obtain the Real Client IP Address for a Request?
WAF forwards requests to the backend based on protection rules. If IP address-based rules (such as blacklist and whitelist, geographical location, and IP address-based precise access rules) are configured for WAF, WAF checks the real IP addresses first and then allows or blocks the request according to the configured rules. WAF obtains real IP addresses in accordance with the following principles:
- If you select Layer-4 proxy or Layer-7 proxy for Proxy Configured when you add a domain name to WAF, WAF obtains the source IP address in the following sequence:
- The source IP header list configured in upstream is preferentially used, that is, the IP address tag configured on the basic information page of the domain name. For details, see Configuring a Traffic Identifier for a Known Attack Source. If no IP address is available, go to 2.
If you want to use a TCP connection IP address as the client IP address, set IP Tag to remote_addr.
- Obtain the value of the cdn-src-ip field in the source IP header list configured in the config file. If no value is obtained, go to 3.
- Obtain the value of the x-real-ip field. If no value is obtained, go to 4.
- Obtain the first public IP address from the left of the x-forwarded-for field. If no public IP address is obtained, go to 5.
- Obtain the value of the remote_addr field, which includes the IP address used for establishing the TCP connection.
- The source IP header list configured in upstream is preferentially used, that is, the IP address tag configured on the basic information page of the domain name. For details, see Configuring a Traffic Identifier for a Known Attack Source. If no IP address is available, go to 2.
- If no proxy is used, that is, you select No proxy for Proxy Configured when adding the domain name to WAF, WAF obtains the source IP address from the remote_ip field.
Protection Event Logs FAQs
- Can WAF Log Protection Events?
- Can I Obtain WAF Logs Using APIs?
- How Do I Obtain Data about Block Actions?
- What Does "Mismatch" for "Protective Action" Mean in the Event List?
- How Does WAF Obtain the Real Client IP Address for a Request?
- Can WAF Logs Be Transferred to OBS?
- Can WAF Forward Logs to the Syslog Server?
- How Long Can WAF Protection Logs Be Stored?
- Can I Query Protection Events of a Batch of Specified IP Addresses at Once?
- Will WAF Record Unblocked Events?
- Why Is the Traffic Statistics on WAF Inconsistent with That on the Origin Server?
- Why Is the Number of Logs on the Dashboard Page Inconsistent with That on the Configure Logs Tab?
- Why Are There Garbled Characters in Event Data I Exported from WAF?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore