Client’s Real IP and Port
UWAF Gets the Client’s Real IP Accessed Through Proxy Servers such as CDN
In general, CDN will use XFF(X-Forwarded-For) or X-Real-IP to pass the real IP of the visiting user, but the situation of user constructing this field to forge the request IP cannot be excluded.
Taking UCDN as an example, if you want to get the real IP of the visiting user at the WAF end, you need to do the following operations:
- Open the WEB application firewall console’s【Domain Management】, select the domain name to be set, and click【Edit】.
- After opening, turn on the【Is there a proxy in front of WAF】option, and fill in the X-Real-IP field in【Real IP Field Setting】(this field is the field for UCDN to pass the user’s real IP, if you choose other third-party proxies, please confirm the real IP field with the supplier)
- After the configuration is completed, click【OK】to let UWAF get the client’s real IP.
How the Origin Server Gets the Client’s Real IP
UWAF will add X-Real-IP and X-Forwarded-For fields in the source request header to pass the real IP of the visiting user. You can make corresponding [configuration](#Sample Configuration) in the origin server to get the values of these two fields.
The difference between X-Real-IP and X-Forwarded-For
The proxy server (like UWAF) will write the source IP of the request into the X-Real-IP field and send it to the source. This field will only have one IP address; every time it passes through a proxy, the proxy server will append the source to X-Forwarded-For. In the case of multiple proxies, this field will have multiple IP addresses (real IP, proxy server 1, proxy server 2, …).
How Source Station Gets the Client’s Real Port
UWAF will add the X-Real-Port field in the source request header to pass the real port of the visiting user. The origin can get the real port of the user client by using this header field value.
Sample Configuration
For common HTTP servers or Web applications, you can get the client’s real IP through the following methods:
Nginx
For Nginx servers, you can use $http_x_real_ip to get the value of the X-Real-IP field, use $http_x_real_port to get the value of the X-Real-Port field. Using Nginx’s http_realip_module module can make $remote_addr display as the client’s real IP. The added configuration is as follows:
set_real_ip_from source IP segment; # The source IP segment can be viewed in the Basic Information of the console Overview page. Multiple IP segments require multiple instructions.
real_ip_header X-Forwarded-For; # X-Real-IP can also be used
real_ip_recursive on; # If there is a proxy like CDN in front of WAF, this instruction needs to be set to on, otherwise it is not needed.If the Nginx of the origin station serves as a proxy server, on the basis of the previous configuration, you can add the following content to the configuration so that the backend application can also get the client’s real IP through X-Real-IP or X-Forwarded-For:
# ...
location / {
# ...
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# ...ASP
Request.ServerVariables("X-Real-IP")JSP
request.getHeader("X-Real-IP")PHP
$_SERVER["HTTP_X_FORWARDED_FOR"]?> Note:
If the upper link is a third-party proxy server such as CDN, it may not be able to obtain the real IP. In this case, you need to refer to the previous WAF Gets the Client’s Real IP Accessed Through Proxy Servers such as CDN to open the【Is there a proxy in front of WAF】option and specify the client’s real IP field in advance in the domain name settings.