X-forwarded-for and related to the understanding of several heads

$remote _addr

is the real address that the client obtains during the TCP connection with the client . Remote Address cannot be forged because a TCP connection requires three handshakes, if the source IP is forged, the TCP connectioncannot be established , and there is no subsequent HTTP request

x-real-ip

again a custom header. X-real-ip is typically used by HTTP proxies to represent the Ip of the device with which it generates a TCP connection, which may be a different agent or a true requester. It is important to note thatX-real-ip currently does not belong to any standard, and the agent and Web application can contract with any custom header to pass this information

X-forwarded-for

X-forwarded-for is an extension header. the http/1.1(RFC 2616) protocol does not define it, it was first introduced by Squid , the cache agent software, to represent the HTTP request-side real IP , which has now become the de facto standard, by the big HTTP proxies, load balancing, and other forwarding services are widely used and are written into the RFC 7239(forwarded HTTP Extension) standard .

the X-FORWARDED-FOR request header format is very simple:

X-forwarded-for:client, Proxy1, Proxy2

can see that The content of XFF is composed of several parts separated by "comma + space", the first is the device IP farthest from the server, and then the IP of each level of proxy device .

If aHTTPbefore the request arrives at the server, it passes through three agentsProxy1,Proxy2,Proxy3,Iprespectively forIP1,IP2,IP3, the user realIpto beIP0, then followXFFStandard, the service side will eventually receive the following information:

X-forwarded-for:ip0, IP1, IP2

Proxy3directly connected to the server, it will giveXFFAppendIP2, indicating that it is helpingProxy2forward the request. The list does not haveIP3,IP3You can use the server-sideRemote Addressfield is obtained. We knowHTTPconnection based onTcpConnection,HTTPthe agreement does notIpthe concept,Remote AddressfromTcpConnect, Express and establish with serverTcpConnected DevicesIp, which in this case isIP3.

If these two items are configured in a reverse proxy nginx server:

Proxy_set_header X-real-ip $remote _addr ;

Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for

So here's the real client address.$remote _addrassign a value toX-real-ip. Note that if the client isCDNor other reverse proxies come over again, then thisREMOTE_ADDRaddress isCDNor an anti-generational address.

$proxy _add_x_forwarded_foRis to put the reverse proxy of this machineIPadded tox-forwarded-foron. Example: If the previous layer is connectedCDN,It sets thex-forwarded-for(GeneralCDNwill put theirIPHide Client onlyIP), we set it again here, and the value is$proxy _add_x_forwarded_forwords, thenx-forwarded-forthe content becomes "clientIp,nginxLoad Balancer ServerIP". So, if you knowCDNSet thex-forwarded-for, and only the client is realIPwords, then ourNginxyou can ignore the header and let it default

$http _x_forwarded_for

The content stored in this variable is the one in the request.x-forwarded-forinformation that should be recorded by a superior individualIP. If the backend getsx-forwarded-forThe program compatibility of the information is not good (not consideringx-forwarded-forcontains multipleIP), it is best not tox-forwarded-forset to$proxy _add_x_forwarded_for. Should be set to$http _x_forwarded_foror simply not set!

X-forwarded-for and related to the understanding of several heads