Dry matter: Java correctly obtain the real IP address of the client

In JSP, the method to obtain the client’s IP address is request.getremoteaddr (), which works in most cases. However, the reverse proxy software such as Apache and Squid cannot obtain the real IP address of the client.

If you use the reverse proxy software, http://192.168.1.110:2046/ URL reverse proxy URL for www.abc.com/, use the request. GetRemoteAddr () method to obtain an IP address is: 127.0.0.1 or 192.168.1.110, not the real IP address of the client.

After the proxy, the server cannot get the client’s IP directly and the server application cannot directly return the requested address to the client because of the added middle layer between the client and the service. However, x-Forwarded-For information is added to the HTTP header of the forward request. To trace the original client IP address and server address requested by the original client.

When we visit www.abc.com/index.jsp/, it is not our browser that actually accesses the index.jsp file on the server, but the proxy server that accesses http://192.168.1.110: 2046/index.jsp, the proxy server then returns the result to our browser. Since it is the proxy server that accesses index.jsp, the IP obtained from request.getremoteaddr () is actually the proxy server’s address. It is not the IP address of the client.

JAVA/PHP server to obtain client IP:

Pseudo code:

1) IP = Request.getheader (” X-Forwarded-For “)

2) If the value is empty or the array length is 0 or equal to “unknown”, then: IP = request.getHeader(” proxy-client-ip “)

3) If the value is null or array length is 0 or equal to “unknown”, then: IP = request.getHeader(” wl-proxy-client-ip “)

4) If the value is empty or the array length is 0 or equal to “unknown”, then: IP = request.getHeader(” HTTP_CLIENT_IP “)

5) If the value is null or the array length is 0 or equal to “unknown”, then: IP = request.getHeader(” x-real-ip “)

6) If the value is null or the array length is 0 or equal to “unknown”, then: IP = request.getremoteaddr ()

Let’s start with what these request headers mean

X-Forwarded-For

This is a Squid field and is only added if HTTP proxy or load balancing server is passed.

Format For X-ray Forwarded – For: client1, proxy1, proxy2, in general, the first real IP IP For the client, For behind after the proxy server IP. Most agents now include this header.

Proxy-Client-IP/WL- Proxy-Client-IP

This is usually a request from the Apache HTTP server. When using Apache HTTP as a Proxy, it usually adds the proxy-client-IP request header, and wL-proxy-client-ip is the header added by its WebLogic plug-in.

HTTP_CLIENT_IP

Some proxy servers add this request header.

X-real-ip nginx proxies typically add this request header.

Here is a reference to obtain the client IP address method:

public static String getIpAddress(HttpServletRequest request) { String ip = request.getHeader("x-forwarded-for"); if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("WL-Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getRemoteAddr(); } if (ip.contains(",")) { return ip.split(",")[0]; } else { return ip; }}Copy the code

If you are using Druid connection pool, you can refer to use: com. Alibaba. Druid. Util. DruidWebUtils# getRemoteAddr method, but this is after the IP address of the multistage agency, with the need to deal with the first.

There are a few caveats

These headers are not standard HTTP headers, which means that each proxy server defines the address of the client. If one day a proxy server software uses oooo-client-IP to represent client requests, the above code will not work.
These headers are not necessarily carried by the proxy server, and many anonymous proxies on the network do not have these headers, so the obtained client IP may not be the real client IP. Proxy servers can generally customize the request header Settings.
The code above does not ensure that the client IP is obtained, even if the broker through which the request is made attaches the proxy request header according to its specifications. Different network architectures determine the order of request headers.
Most importantly, request headers can be forged. If some applications (such as polling) require strict client verification, they should directly use IP = request.getremoteaddr (). Although the obtained IP may be the proxy IP rather than the client IP, the obtained IP is almost impossible to be forged, thus preventing the possibility of voting. Arp spoofing + SYN can be used to forge this IP address, which is a vulnerability of all TCP-based protocols.

Reference blog.csdn.net/sgx42502123… Blog.csdn.net/fengwind1/a…

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Dry matter: Java correctly obtain the real IP address of the client

Recommended reading

Dry matter: Java correctly obtain the real IP address of the client

Recommended reading

Related Posts

Program Life teaches you how to set up a personal interview program on a server

Do you know these simple Spring Bean injection methods?

Scala Series I – Introduction to Scala and development environment configuration