Updated on 2022-01-25 GMT+08:00

How Can I Obtain the IP Address of a Client?

Background

  • If Network Address Translation (NAT) or Web Application Firewall (WAF) is used, you cannot obtain the IP addresses of the clients.
  • If the client is a container, you can obtain only the IP address of the node where the container is located, but cannot obtain the IP address of the container.
  • If the function of obtaining client IP addresses is enabled for TCP or UDP listeners, a cloud server cannot be used as a backend server and a client at the same time.

Layer 7 Load Balancing

Configure the application server and obtain the IP address of a client from the HTTP header.

The real IP address is placed in the X-Forwarded-For header by the load balancer in the following format:

X-Forwarded-For: IP address of the client,Proxy server 1-IP address,Proxy server 2-IP address,...

If you use this method, the first IP address obtained is the IP address of the client.

Apache Server

  1. Install Apache 2.4.

    For example, if CentOS 7.5 is used as the OS, run the following command to install the software:

    yum install httpd
  2. Add the following content to the end of Apache configuration file /etc/httpd/conf/httpd.conf:
    LoadModule remoteip_module modules/mod_remoteip.so
    RemoteIPHeader X-Forwarded-For
    RemoteIPInternalProxy 100.125.0.0/16
    Figure 1 Content to be added

    Set the value of RemoteIPInternalProxy to the IP address ranges of the proxy servers, for example, the IP address range used by the AAD service and 100.125.0.0/16 used by ELB. Use a comma (,) to separate every two entries.

  3. Change the log output format in the Apache configuration file to the following (%a indicates the source IP address):
    LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  4. Restart Apache.
    systemctl restart httpd
  5. Obtain the actual IP address of the client from the httpd access logs.

Nginx Server

For example, if CentOS 7.5 is used as the OS, run the following command to install the software:

  1. Run the following commands to install http_realip_module:
    yum -y install gcc pcre pcre-devel zlib zlib-devel openssl openssl-devel
    wget http://nginx.org/download/nginx-1.17.0.tar.gz
    tar zxvf nginx-1.17.0.tar.gz
    cd nginx-1.17.0
    ./configure --prefix=/path/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module
    make
    make install
  2. Run the following command to open the nginx.conf file:
    vi /path/server/nginx/conf/nginx.conf
  3. Add the following content under http or server:
    ;100.125.0.0/16set_real_ip_from 
    real_ip_header X-Forwarded-For;
    Figure 2 Content to be added

    Set the value of set_real_ip_from to the IP address ranges of the proxy servers, for example, the IP address range used by the AAD service and 100.125.0.0/16 used by ELB. Use a comma (,) to separate every two entries.

  4. Start Nginx.
    /path/server/nginx/sbin/nginx
  5. Obtain the actual IP address of the client from the Nginx access logs.
    cat /path/server/nginx/logs/access.log

Tomcat Servers

In the following operations, the Tomcat installation path is /usr/tomcat/tomcat8/.

  1. Log in to a server on which Tomcat is installed.
  2. Check whether Tomcat is running properly.
    ps -ef|grep tomcat
    netstat -anpt|grep java
    Figure 3 Tomcat running properly
  3. Add the following configuration items to the server.xml file:
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
    prefix="localhost_access_log." suffix=".txt"
    pattern="%{X-FORWARDED-FOR}i %l %u %t %r %s %b %D %q %{User-Agent}i %T" resolveHosts="false" />
    Figure 4 Example configuration
  4. Restart the Tomcat service.
    cd /usr/tomcat/tomcat8/bin && sh startup.sh

    In this command, /usr/tomcat/tomcat8/ is the Tomcat installation path. Change it based on site requirements.

    Figure 5 Restarting the Tomcat service
  5. View the latest logs.

    As highlighted in the following figure, IP addresses that are not in the IP address range starting with 100.125 are the source IP addresses.

    cat localhost_access_log..2020-09-10.txt

    In this command, localhost_access_log..2020-09-10.txt indicates the log path of the current day. Change it based on site requirements.

    Figure 6 Querying the source IP address

Windows Server with IIS Deployed

The following uses Windows Server 2012 with IIS7 as an example to describe how to obtain the source IP address.

  1. Download and install the Java Runtime Environment (JRE).

    https://www.microsoft.com/en-us/download/details.aspx?id=2299

  2. Download the F5XForwardedFor.dll plug-in and copy the plug-ins in the x86 and x64 directories to a directory on which IIS has the access permission, for example, C:\F5XForwardedFor2008.
  3. Open the Server Manager and choose Modules > Configure Native Modules.
    Figure 7 Selecting modules
    Figure 8 Configure Native Modules
  4. Click Register to register the x86 and x64 plug-ins.
    Figure 9 Registering plug-ins
  5. In the Modules dialog box, verify that the registered plug-ins are displayed in the list.
    Figure 10 Confirming the registration
  6. Select ISAPI Filters on the Server Manager homepage and authorize two plug-ins to run ISAPI and CGI extensions.
    Figure 11 Adding authorization
  7. Select ISAPI and CGI Restriction to set the execution permission for the two plug-ins.
    Figure 12 Allowing the plug-ins to execute
  8. Click Restart on the homepage to restart IIS. The configuration takes effect after the restart.
    Figure 13 Restarting IIS

Layer 4 Load Balancing

TCP listeners require the TOA plug-in to obtain real IP addresses. For details, see Configuring the TOA Plug-in.