How Does WAF Obtain the Real Client IP Address for a Request?
This depends on which WAF access mode is used for the website.
Cloud Mode - CNAME Access and Dedicated Mode
WAF forwards requests to the backend based on protection rules. If IP address-based rules (such as blacklist and whitelist, geographical location, and IP address-based precise access rules) are configured for WAF, WAF checks the real IP addresses first and then allows or blocks the request according to the configured rules. WAF obtains real IP addresses in accordance with the following principles:
- If you select Yes for Use Layer-7 Proxy when you add a domain name to WAF, WAF obtains the source IP address in the following sequence:
- The source IP header list configured in upstream is preferentially used, that is, the IP address tag configured on the basic information page of the domain name. For details, see Configuring a Traffic Identifier for a Known Attack Source. If no IP address is available, go to 2.
If you want to use a TCP connection IP address as the client IP address, set IP Tag to remote_addr.
- Obtain the value of the cdn-src-ip field in the source IP header list configured in the config file. If no value is obtained, go to 3.
- Obtain the value of the x-real-ip field. If no value is obtained, go to 4.
- Obtain the first public IP address from the left of the x-forwarded-for field. If no public IP address is obtained, go to 5.
- Obtain the value of the remote_addr field, which includes the IP address used for establishing the TCP connection.
- The source IP header list configured in upstream is preferentially used, that is, the IP address tag configured on the basic information page of the domain name. For details, see Configuring a Traffic Identifier for a Known Attack Source. If no IP address is available, go to 2.
- If no proxy is used, that is, you select No for Use Layer-7 Proxy when adding the domain name to WAF, WAF obtains the source IP address from the remote_ip field.
Cloud Mode - Load Balancer Access
- The source IP header list configured in upstream is preferentially used, that is, the IP address tag configured on the basic information page of the domain name. For details, see Configuring a Traffic Identifier for a Known Attack Source. If no IP address is available, go to 2.
If you want to use a TCP connection IP address as the client IP address, set IP Tag to remote_addr.
- Obtain the value of the cdn-src-ip field in the source IP header list configured in the config file. If no value is obtained, go to 3.
- Obtain the value of the x-real-ip field. If no value is obtained, go to 4.
- Obtain the first public IP address from the left of the x-forwarded-for field. If no public IP address is obtained, go to 5.
- Obtain the value of the remote_addr field, which includes the IP address used for establishing the TCP connection from the ELB load balancer.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot