CDN to get the real IP address of the user

With the rapid rise of nginx, more and more companies to replace Apache into Nginx. At the same time, more and more people use Nginx as load balancer, and the agent may also add CDN acceleration, but also encountered a problem: how to get the user's real IP address, if the backend is Apache, please jump to <apache to get the real IP address of the user If the backend real server is Nginx, then continue looking down.

Instance environment:
User IP 120.22.11.11
CDN Front End 61.22.22.22
CDN Transit 121.207.33.33
Company Nginx front-end agent 192.168.50.121 (External network 121.207.231.22)

1. Use CDN Custom IP header to get

If your CDN manufacturer is using Nginx, then assign the $remote_addr to the header you specified in the Nginx method as follows:

Proxy_set_header Remote-user-ip $remote _addr;

1	Proxy_set_header Remote - User - IP $remote_addr;

As above, the backend will receive REMOTE_USER_IP HTTP header, some people may pick the wrong, said I set the head is not remote-user-ip, how to write Remote_user_ip, is not the author wrong. Please refer to the article:< Nginx Reverse proxy Proxy_set_header Custom Header Header Invalid >

Back-end PHP code getremoteuserip.php

<?php $ip = getenv ("Http_remote_user_ip");    Echo $ip; ?>

1 2 3 4

<?php $ip = getenv("http_remote_user_ip") ; echo $ip;      ?>

To access getremoteuserip.php, the results are as follows:

120.22.11.11//Take the real User IP, if the CDN can give the definition of this header, then this method is the best

1	120.22.11.11 //Take the real User IP, if the CDN can give the definition of this header, then this method is the best

2. Get IP address via http_x_forwarded_for

In general, the CDN server will send the http_x_forwarded_for header, which is an IP string, the backend real server gets the http_x_forwarded_for header, intercepts the string the first IP that is not unkown as the real IP address of the user, for example:

120.22.11.11,61.22.22.22,121.207.33.33,192.168.50.121 (user Ip,cdn front-end IP,CDN relay, company Nginx agent)

getfor.php

<?php $ip = getenv ("Http_x_forwarded_for"); Echo $ip;? >

1 2 3 4

<?php $ip = getenv("Http_x_forwarded_for " ); echo $ip; ?>

Access getfor.php results as follows:

120.22.11.11,61.22.22.22,121.207.33.33,192.168.50.121

1	120.22.11.11 , 61.22.22.22 , 121.207.33.33 , 192.168.50.121

If you are a PHP programmer, you get the first IP address that is not a unknow, this is 120.22.11.11.

3. Use Nginx module Realip to get the user IP address
When installing Nginx plus realip module, my parameters are as follows:

./configure--prefix=/usr/local/nginx-1.4.1--with-http_realip_module

1	. / Configure --prefix=/usr/local/ Nginx - 1.4.1 --with-http_realip_module

Real Server Nginx Configuration

server {       listen        server_name,       &NBSP;WWW.TTLSA . com;        access_log  /data/logs/nginx/www.ttlsa.com.access.log  main;        index index.php index.html index.html;        root/data/site/www.ttlsa.com;        location/       {                root/data/site/www.ttlsa.com;        }        location =/getrealip.php        {  &NBS P            set_real_ip_from  192.168.50.0/24;                set_real_ip_from  61.22.22.22;                set_real_ip_from  121.207.33.33;                set_real_ip_from 127.0.0.1;       &NBSp        real_ip_header    X-Forwarded-For;                real_ip_recursive on;                fastcgi_pass  unix:/var/run/phpfpm.sock;                fastcgi_index index.php;                include fastcgi.conf;        }    }

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21st 22 23 24 25

server { Listen ;          server _name   www ttlsa com access_log /Data/logs/Nginx / www . Ttlsa . com . Access . Log Main ; Index index. PHP Index . HTML Index . HTML ; root /Data/site/ www. Ttlsa . com ; location /         { root /Data/site/www c14>. Ttlsa . com ;         } location =/getrealip. PHP         { set_real_ip_ from 192.168.50.0/; set_real_ip_ from 61.22.22.22; set_real_ip_ from 121.207.33.33; set_real_ip_ from 127.0.0.1; real_ip_header X-forwarded - for; real_ip_recursive on; fastcgi_pass Unix:/var/run/ phpfpm. sock ; fastcgi_index index. PHP ; include fastcgi. conf ;         }     }

getrealip.php Content

<?php $ip = $_server[' remote_addr ');        Echo $ip; ?>

1 2 3 4

&NBSP;&NBSP;&NBSP;&NBSP; <?php &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; $ip = &NBSP;&NBSP; $_server [ ' remote_addr ' ] Span class= "Crayon-sy"; &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; echo $ip &NBSP;&NBSP;&NBSP;&NBSP; &NBSP;&NBSP;&NBSP;&NBSP; ?>

Visit www.ttlsa.com/getRealip.php, return:

120.22.11.11

1	120.22.11.11

If the comment real_ip_recursive on or real_ip_recursive off
Visit www.ttlsa.com/getRealip.php, return:

121.207.33.33

1	121.207.33.33

Unfortunately, get the ip,real_ip_recursive of the relay to see the effect of it.

Set_real_ip_from: IP address or IP segment of a proxy on a real server, can write multiple lines
Real_ip_header: Which header to retrieve the IP address from
Real_ip_recursive: Recursive exclusion IP Address, IP string from right to left to exclude set_real_ip_from inside the IP, if there is no IP segment, then this IP will be considered the IP of the user. For example on my side, the IP address string obtained by the real server is as follows:
120.22.11.11,61.22.22.22,121.207.33.33,192.168.50.121
In the case of real_ip_recursive on
61.22.22.22,121.207.33.33,192.168.50.121 all appear in the Set_real_ip_from, only 120.22.11.11 not appear, then he is considered to be the user's IP address, and assigns the value to Remote_ Addr variable

In case of real_ip_recursive off or not set
192.168.50.121 appears in the Set_real_ip_from, excluding, the next IP address is considered to be the user's IP address

If only the following configuration:

Set_real_ip_from 192.168.50.0/24;    Set_real_ip_from 127.0.0.1;    Real_ip_header x-forwarded-for; Real_ip_recursive on;

1 2 3 4

set_real_ip_ from 192.168.50.0/; set_real_ip_ from 127.0.0.1; real_ip_header X-forwarded- for; real_ip_recursive on;

The results of the visit are as follows:

121.207.33.33

1	121.207.33.33

4. Summary of three ways to obtain User IP in CDN environment
4.1 CDN Custom Header Header
Advantage: Get to the most real user IP address, the user is absolutely impossible to camouflage IP
Cons: Requires CDN vendor to provide

4.2 Getting forwarded-for Head
Pros: You can get the IP address of the user
Cons: The program needs to be changed, and the user IP may be disguised

4.3 using Realip to get
Advantages: The program does not need to change, directly using REMOTE_ADDR to obtain an IP address
Cons: IP addresses may be spoofed and need to know the IP address or IP segment of all CDN nodes

CDN to get the real IP address of the user