How does JSP obtain the real ip address of the client?
In JSP, the method for obtaining the Client IP address is request. getRemoteAddr (). This method is valid in most cases, but the real IP address of the client cannot be obtained through reverse proxy software such as Apache and Squid.
If reverse proxy software is used, when the URL reverse proxy of http: // 192.168.1.110: 3306/is set to the URL of the http://www.8888.com/, request is used. the IP address obtained by the getRemoteAddr () method is 127.0.0.1 or 192.168.1.110, but not the real IP address of the client.
After proxy, because the intermediate layer is added between the client and the service, the server cannot directly obtain the IP address of the client, and the server application cannot directly return the IP address of the forwarded request to the client. However, X-FORWARDED-FOR information is added in the HTTP header information that forwards the request. It is used to track the original Client IP address and the server address of the original client request. When we access the http://www.8888.com/index.jsp/, it is not that our browser actually accesses the index on the server. the jsp file is first accessed by the Proxy Server http: // 192.168.1.110: 3306/index. jsp, the proxy server returns the access results to our browser, because the proxy server accesses the index. jsp, so index. in jsp, request. the IP obtained by getRemoteAddr () is actually the proxy server address, not the client IP address.
So we can obtain the real IP address of the client. Method 1:
public String getRemortIP(HttpServletRequest request){ if (request.getHeader("x-forwarded-for") == null) { return request.getRemoteAddr(); } return request.getHeader("x-forwarded-for");}
However, when I access the http://www.xxx.com/index.jsp/, the returned IP address is always unknown, not 127.0.0.1 or 192.168.1.110 as shown above, And I access http: // 192.168.1.110: 3306/index. jsp, the real IP address of the client can be returned, and a method is written for verification. The reason is Squid. The forwarded_for configuration file of squid. conf is on by default. If forwarded_for is set to off, X-Forwarded-For: unknown
So we can obtain the real IP address of the client. Method 2:
public String getIpAddr(HttpServletRequest request){ String ip = request.getHeader("x-forwarded-for"); if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("WL-Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getRemoteAddr(); } return ip;}
However, if a multi-level reverse proxy is passed, there will be more than one X-Forwarded-For value, but a string of IP values. Which is the real IP address of the client?
The answer is: Take the first valid IP string not unknown in X-Forwarded-.
Example: X-Forwarded-For: 192.168.1.110, 192.168.1.120, 192.168.1.130, 192.168.1.100
The user's real IP address is 192.168.1.110.
The above two methods are feasible. Do not use the request. getRemoteAddr () method alone to obtain the Client IP address. This method is not ideal.
I hope this article will be helpful for your learning.