The nginx proxy cannot obtain the real IP address of the client.

In the Linux environment, the strong-reverse proxy of Nginx is used. As a result, the IP obtained by request. getRemoteAddr () is the IP address of the proxy server of the company, and the log records are seriously inaccurate!
We all know that the method for obtaining the Client IP address on the server side is request. getRemoteAddr (), which is effective in most cases.
However, after Nginx, Squid, and other reverse proxy software are used, the real IP address of the client cannot be obtained.
If the reverse proxy software is used, for example, when the URL reverse proxy of http: // 192.168.101.88: 80/is http://pay.kedou.com/url, the IP address obtained using request.getremoteaddr () method is 127.0.0.1 or 192.168.101.88, it is not the real IP address of the client.
It turns out that the client directly requests the server and takes the route request. At this time, the request. getRemoteAddr () method can be used to obtain the client's IP address. But after proxy, the client does not directly request the server, but uses the B-line route to request the proxy server, which then requests the server. At this time, the server passes the request. the getRemoteAddr () method is taken for granted
The proxy server address.

After proxy, because the intermediate layer is added between the client and the service, the server cannot directly obtain the IP address of the client, and the server application cannot directly return the IP address of the forwarded request to the client. However, X-FORWARDED-FOR information is added in the HTTP header information that forwards the request. It is used to track the original Client IP address and the server address of the original client request. When we access the hosts file, the proxy server first accesses http: // 192.168.101.88: 80/index.htm. then the proxy server returns the resulting result to our browser. In this case, the proxy server uses index.htm to access the request. the IP obtained by getRemoteAddr () is actually the proxy server address, not the client IP address.
So you can obtain the real IP address of the client.

Method 1: public String getRemortIP (HttpServletRequest request) {if (request. getHeader ("x-forwarded-for") = null) {return request. getRemoteAddr ();} return request. getHeader ("x-forwarded-for"); however, when I access the token or 192.168.101.88, the real IP address of the client can be obtained.

Method 2: public String getIpAddr (HttpServletRequest request) {String ip = request. getHeader ("x-forwarded-for"); if (ip = null | ip. length () = 0 | "unknown ". equalsIgnoreCase (ip) {ip = request. getHeader ("Proxy-Client-IP");} if (ip = null | ip. length () = 0 | "unknown ". equalsIgnoreCase (ip) {ip = request. getHeader ("WL-Proxy-Client-IP");} if (ip = null | ip. length () = 0 | "unknown ". equalsIgnoreCase (ip) {ip = request. getRemoteAddr ();} return ip ;}

However, if a multi-level reverse proxy is passed, there will be more than one X-Forwarded-For value, but a string of Ip values. Which is the real IP address of the client?
The answer is to take the first valid IP string not unknown in X-Forwarded-.
For example:
X-Forwarded-For: 192.168.101.88, 192.168.101.128, 192.168.101.126

The user's real IP address is 192.168.101.88, so he gets the final code // gets the Client ip address. The proxy server publicstatic String getIpAddress (HttpServletRequest request) {String IP = request. getHeader ("x-forwarded-for"); String localIP = "127.0.0.1"; if (ip = null) | (ip. length () = 0) | (ip. equalsIgnoreCase (localIP) | "unknown ". equalsIgnoreCase (ip) {ip = request. getHeader ("Proxy-Client-IP");} if (ip = null) | (ip. length () = 0) | (ip. equalsIgnoreCase (localIP) | "unknown ". equalsIgnoreCase (ip) {ip = request. getHeader ("WL-Proxy-Client-IP");} if (ip = null) | (ip. length () = 0) | (ip. equalsIgnoreCase (localIP) | "unknown ". equalsIgnoreCase (ip) {ip = request. getRemoteAddr ();} return ip ;}