Java proper acquisition of client real IP method collation

Source: Internet
Author: User
Tags array length php server

In the JSP, the method to obtain the IP address of the client is: Request.getremoteaddr (), which is valid in most cases. However, the real IP address of the client cannot be obtained through the reverse proxy software such as Apache,squid.

If the reverse proxy software is used, the URL of the http://192.168.1.110:2046/is reversed to the URL of the http://www.abc.com/, with REQUEST.GETREMOTEADDR () The IP address obtained by the method is: 127.0.0.1 or 192.168.1.110, not the real IP of the client.

After the agent, due to the addition of the middle tier between the client and the service, so the server can not directly get the client's IP, the server-side application can not directly forward the requested address to the client. However, the x-forwarded-for information is added to the HTTP header information of the forwarding request. Used to track the original client IP address and the server address of the original client request.

When we visit http://www.abc.com/index.jsp/, it is not that our browser actually accesses the index.jsp file on the server, but instead it is accessed by the proxy server first http://192.168.1.110:2046/ INDEX.JSP, the proxy server will return the results of the access to our browser, because it is the proxy server to access index.jsp, so index.jsp through the request.getremoteaddr () is actually the address of the proxy server, not the IP address of the client.

The external java/php server-side acquisition client IP is so taken:

Pseudo code:

1) IP = request.getheader ("X-forwarded-for")

2) If the value is empty or the array length is 0 or equal to "unknown", then:
ip = Request.getheader ("Proxy-client-ip")

3) If the value is empty or the array length is 0 or equal to "unknown", then:
ip = Request.getheader ("Wl-proxy-client-ip")

4) If the value is empty or the array length is 0 or equal to "unknown", then:
ip = Request.getheader ("Http_client_ip")

5) If the value is empty or the array length is 0 or equal to "unknown", then:
ip = Request.getheader ("X-real-ip")

6) If the value is empty or the array length is 0 or equal to "unknown", then:
ip = request.getremoteaddr ()

Let's talk about the meaning of these requests.

    • X-forwarded-for

This is a SQUID development field that is added only if the HTTP proxy or Load Balancer server is passed.

The format is X-forwarded-for:client1,proxy1,proxy2, in general, the first IP is the client real IP, followed by the proxy server IP. Now most of the agents will add this request header.

    • Proxy-client-ip/wl-proxy-client-ip

This is generally through the Apache HTTP Server request will have, with Apache HTTP proxy will generally add PROXY-CLIENT-IP request header, and Wl-proxy-client-ip is his WebLogic plug-in plus the head.

    • Http_client_ip

Some proxy servers are added to this request header.

    • X-real-ip
      The Nginx proxy typically adds this request header.

Here is a reference to the method for obtaining the client IP address:

 Public Staticstring getipaddress (HttpServletRequest request) {string IP= Request.getheader ("x-forwarded-for"); if(IP = =NULL|| Ip.length () = =0||"Unknown". Equalsignorecase (IP)) {IP= Request.getheader ("Proxy-client-ip"); }    if(IP = =NULL|| Ip.length () = =0||"Unknown". Equalsignorecase (IP)) {IP= Request.getheader ("Wl-proxy-client-ip"); }    if(IP = =NULL|| Ip.length () = =0||"Unknown". Equalsignorecase (IP)) {IP=request.getremoteaddr (); }    if(Ip.contains (",")) {        returnIp.split (",")[0]; } Else {        returnIP; }}
If you are using a Druid connection pool, you can refer to using the: Com.alibaba.druid.util.druidwebutils#getremoteaddr method, but this is the IP address of the multi-level proxy, which needs to be processed by itself to get the first one.

There are a few points to note

    1. These request headers are not standard request headers in the HTTP protocol, meaning that this is the request header of each proxy server that represents the client address. If one day there is a proxy server software with Oooo-client-ip This request header represents the client request, then the above code is not.

    2. These request headers are not necessarily the proxy server, and many anonymous proxies on the network do not have these request headers, so the client IP that gets to it does not have to be the real client IP. The proxy server can typically customize the request header settings.

    3. Even if the requested agent will attach the proxy request header according to its own specifications, the above code will not ensure that the client IP is obtained. Different network architectures, the order of judging the request header is not the same.

    4. The most important point is that the request header can be forged. If some applications (such as voting) that are more restrictive to the client are to obtain the client IP, the IP=REQUEST.GETREMOTEADDR () should be used directly, although the IP of the proxy may be obtained instead of the client's IP, but the acquired IP is basically impossible to forge. It also eliminates the possibility of the brush ticket. (There is an analysis that ARP spoofing +syn is likely to forge this IP, if it can, this is all based on the TCP protocol is a vulnerability), this IP is the TCP connection IP.

Reference
http://blog.csdn.net/sgx425021234/article/details/19043459
http://blog.csdn.net/fengwind1/article/details/51992528

Java proper acquisition of client real IP method collation

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.