How Does WAF Obtain the Real Client IP Address for a Request?

WAF forwards requests to the backend based on protection rules. If IP address-based rules (such as blacklist and whitelist, geographical location, and IP address-based precise access rules) are configured for WAF, WAF checks the real IP addresses first and then allows or blocks the request according to the configured rules. WAF obtains real IP addresses in accordance with the following principles:

• If you select Lay-4 proxy or Layer-7 proxy for Proxy Configured when you add a domain name to WAF, WAF obtains the source IP address in the following sequence:
  1. The source IP header list configured in upstream is preferentially used, that is, the IP address tag configured on the basic information page of the domain name. For details, see Configuring a Traffic Identifier for a Known Attack Source. If no IP address is available, go to 2.
     

     If you want to use a TCP connection IP address as the client IP address, set IP Tag to remote_addr.

  2. Obtain the value of the cdn-src-ip field in the source IP header list configured in the config file. If no value is obtained, go to 3.
  3. Obtain the value of the x-real-ip field. If no value is obtained, go to 4.
  4. Obtain the first public IP address from the left of the x-forwarded-for field. If no public IP address is obtained, go to 5.
  5. Obtain the value of the remote_addr field, which includes the IP address used for establishing the TCP connection.
• If you select No proxy for Proxy Configured when you add a domain name to WAF, WAF obtains the source IP address from the remote_ip field.