How to prevent forgery X-Forwarded-For and obtain real IP addresses when multiple proxies are used

To obtain the visitor's real IP address, most users assign the visitor's real IP address to X-Forwarded-For (XFF ). However, because XFF is an HTTP request header with http _ at the beginning, such http information can be forged. In fact, these problems will not occur if you need to obtain the XFF content based on actual usage. With the anti-Proxy function of Nginx, someone will pass the content of the $ proxy_add_x_forwarded_for variable to the backend as the user's real IP address. Nginx can process this variable intelligently. When XFF is passed over, Nginx automatically adds the IP address of the Nginx server to the end of the original XFF and then sends it to the backend. This intelligence also poses a problem. If a visitor spoofs an XFF variable, the visitor's IP address obtained by the backend server is also false, so that malicious people can take advantage of it ...... For the frontend, only one variable of the visitor IP address is real and cannot be forged -- $ remote_addr, which is not prefixed with http _. For front-end services such as Nginx and Varnish, using $ remote_addr (Varnish variable named client. ip) as the guest IP address is the smartest choice. Nginx: proxy_set_header X-Forwarded-For $ remote_addr; Varnish: set req. http. x-Forwarded-For = client. ip address; set req. http. x-Forwarded-For = client. in addition, if (req. restarts = 0) {if (req. http. x-forwarded-for) {set req. http. x-Forwarded-For = req. http. x-Forwarded-For + "," + client. ip;} else {set req. http. x-Forwarded-For = c Lient. ip;} if (req. restarts = 0) {if (req. http. x-forwarded-for) {set req. http. x-Forwarded-For = req. http. x-Forwarded-For + "," + client. ip;} else {set req. http. x-Forwarded-For = client. ip ;}}we can see that Varnish's default XFF processing method is basically the same as the $ proxy_add_x_forwarded_for of the Nginx Proxy module. The same is true for XFF spoofing. If CDN is not used, I suggest removing the code that determines whether XFF has content and directly obtaining remote_addr and passing it to the backend: if (req. restarts = 0) {set req. http. x-Forwarded-For = client. ip;} if (req. restarts = 0) {set req. http. x-Forwarded-For = client. ip;} Of course, what we mentioned above is just the most the simplest and simplest scenario. Assume that a website uses the following environment: Apache is the PHP parsing engine, Nginx is used as the cache before Apache, and Varnish is used as the cache before Nginx, varnish added a content delivery network (CDN, where all nodes use Nginx). How can I obtain the visitor's real IP address from Apache without XFF spoofing? First, the backend servers must not be directly accessible. They can only be accessed through the CDN server! Otherwise, XFF spoofing may occur. Frontend: Nginx of the CDN node uses the $ remote_addr variable as the visitor's real IP address! This is the key to preventing spoofing XFF: proxy_set_header X-Forwarded-For $ remote_addr; Varnish to obtain the XFF content from the CDN node, assign a value to XFF and pass it to Nginx: set req. http. x-Forwarded-For = req. http. x-Forwarded-For; set req. http. x-Forwarded-For = req. http. x-Forwarded-For; In Nginx, if you want to use the limit_req module or log recording function, you need the realip module to set the IP address of the Real IP address from the Varnish server and tell the Real module, which variable stores the visitor's real IP address and assigns the XFF with the real IP address passed by Varnish to Apache: s Erver {...... set_real_ip_from varnish IP address. If the same server is 127.0.0.1; real_ip_header, the variable For storing the real IP address is generally X-Forwarded-;...... location /{...... proxy_set_header X-Forwarded-For $ http_x_forwarded_for ;......}} server {...... set_real_ip_from varnish IP address. If the same server is 127.0.0.1; real_ip_header, the variable For storing the real IP address is generally X-Forwarded-;...... location /{...... proxy_set_header X-Forwarded-For $ http_x_forwarded_for ;... ...}} In Apache, you need to install the rpaf module and inform the rpaf module to install the varnish and nginx Server IP addresses and the variables for storing the visitor's real IP addresses: RPAFenable OnRPAFsethostname OnRPAFproxy_ips Varnish Server IP address Nginx Server IP address # Separate RPAFheader X-Forwarded-for RPAFenable OnRPAFsethostname #varnish Server IP address Nginx Server IP address # use IP addresses between different IP addresses space separation RPAFheader X-Forwarded-for visible, from the front-end CDN node to the last-end Apache, the variable XFF remains unchanged and is always the visitor's real IP address. If Nginx is only cached, it is not even required by the realip module, directly transmits XFF to Apache, which greatly simplifies backend processing, Not only can the visitor's real IP address be obtained, but XFF cannot be forged. Finally, by the way, X-Forwarded-For is just a variable name. You can change it to another name you like. I use X-Forwarded-For in the full text, it just conforms to the long-standing habits of most people ......