tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Cloud Load Balancer
    Documentation
    Download PDF

    Obtaining Real Client IPs in IPv4 CLB Scenarios

    Last updated: 2024-01-04 14:39:00
    Download PDF

      Notes on Getting Real Client IP Addresses by CLB

      All layer-4 (TCP/UDP/TCP SSL) and layer-7 (HTTP/HTTPS) CLB services support getting a real client IP address directly on a backend CVM instance with no additional configuration required.
      For layer-4 CLB, the source IP address obtained on the backend CVM instance is the client IP address.
      For layer-7 CLB, when a non-persistent connection is used between the CLB instance and the real server, the source IP address obtained on the backend CVM instance is the client IP address; when a persistent connection is used between the CLB instance and the real server, the CLB instance does not pass through the source IP address. You can use the X-Forwarded-For or remote_addr field to directly get the client IP address. For the access logs of layer-7 CLB, see Configuring Access Logs.
      Note:
      For layer-4 CLB, the client IP address can be directly obtained with no additional configuration required on the backend CVM instance.
      For other layer-7 load balancing services with SNAT enabled, you need to configure the backend CVM instance and then use X-Forwarded-For to get the real client IP address.
      Below are commonly used application server configuration schemes.

      IIS 6 Configuration Scheme

      1. Download and install the F5XForwardedFor plugin module, copy F5XForwardedFor.dll in the x86\\Release or x64\\Release directory based on your server operating system version to a certain directory (such as C:\\ISAPIFilters in this document), and make sure that the IIS process has the read permission on this directory.
      2. Open IIS Manager and navigate to the web server you would like to apply it to. Right-click your web server and select Properties.
      3. On the properties page, switch to ISAPI Filters and click Add to pop up the Add/Edit Filter Properties window.
      4. In the pop-up window, enter "F5XForwardedFor" for Filter Name and the full path to F5XForwardedFor.dll for Executable and then click OK.
      5. Restart the IIS server for the configuration to take effect.

      IIS 7 Configuration Scheme

      1. Download and install the F5XForwardedFor plugin module, copy F5XFFHttpModule.dll and F5XFFHttpModule.ini in the x86\\Release or x64\\Release directory based on your server operating system version to a certain directory (such as C:\\x_forwarded_for in this document), and make sure that the IIS process has the read permission on this directory.
      2. Open IIS Manager, select your IIS server, and double-click Modules.
      
      3. Click Configure Native Modules.
      
      4. In the pop-up window, click Register.
      
      5. Add the downloaded DLL files, as shown below:
      
      6. After adding the files, check them and click OK.
      
      7. Add the above two DLL files in "ISAPI and CGI Restrictions" and set the restrictions to "Allow".
      
      8. Restart the IIS server for the configuration to take effect.

      Apache Configuration Scheme

      1. Install the third-party Apache module "mod_rpaf".
      wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
      tar zxvf mod_rpaf-0.6.tar.gz
      cd mod_rpaf-0.6
      /usr/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
      2. Modify the Apache configuration file /etc/httpd/conf/httpd.conf by adding the following to the end of the file:
      LoadModule rpaf_module modules/mod_rpaf-2.0.so
      RPAFenable On
      RPAFsethostname On
      RPAFproxy_ips IP address (The IP address is not the public IP address provided by CLB. For the specific IP address, query the Apache logs. Generally, there are two IP addresses and you need to enter both of them.)
      RPAFheader X-Forwarded-For
      3. After adding the above content, restart Apache.
      /usr/sbin/apachectl restart

      Nginx Configuration Scheme

      1. You can use http_realip_module to get the real client IP address when Nginx is used as the server. However, this module is not installed in Nginx by default, and you need to recompile Nginx to add --with-http_realip_module.
      yum -y install gcc pcre pcre-devel zlib zlib-devel openssl openssl-devel
      wget http://nginx.org/download/nginx-1.17.0.tar.gz
      tar zxvf nginx-1.17.0.tar.gz
      cd nginx-1.17.0
      ./configure --prefix=/path/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module
      make
      make install
      2. Modify the nginx.conf file.
      vi /etc/nginx/nginx.conf
      Modify the configuration fields and information as follows:
      Note:
      You need to replace xx.xx.xx.xx with the IP or IP range of the ‍upper-layer proxy server. 
      fastcgi connect_timeout 300;
      fastcgi send_timeout 300;
      fastcgi read_timeout 300;
      fastcgi buffer_size 64k;
      fastcgi buffers 4 64k;
      fastcgi busy_buffers_size 128k;
      fastcgi temp_file_write_size 128k;
      
      # Modify the configuration fields and information as follows
      set_real_ip_from xx.xx.xx.xx;
      real_ip_header X-Forwarded-For;
      real_ip_recursive on;
      3. Restart Nginx.
      service nginx restart
      4. View Nginx access logs to get the real client IP address.
      cat /path/server/nginx/logs/access.log
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy