- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- CLB Instance
- CLB Listener
- CLB Listener Overview
- Configuring TCP Listener
- Configuring UDP Listener
- Configuring TCP SSL Listener
- Configuring QUIC Listener
- Configuring HTTP Listener
- Configuring HTTPS Listener
- Load Balancing Methods
- Session Persistence
- Layer-7 Redirection Configuration
- Layer-7 Custom Configuration
- Layer-7 Domain Name Forwarding and URL Rules
- Using QUIC Protocol on CLB
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Real Server
- Health Check
- Certificate Management
- Monitoring and Alarm
- Log Management
- Cloud Access Management
- Classic CLB
- Best Practices
- Enabling Gzip Configuration & Testing
- HTTPS Forwarding Configurations
- Obtaining Real Client IPs
- Notes on SNAT and Non-SNAT Types for Private Network CLB
- Implementing HA Across Multiple AZs
- Load Balancing Algorithm Selection and Weight Configuration Examples
- Configuring WAF protection for CLB listening domain names
- Troubleshooting
- OPS Guidelines
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- Listener APIs
- Real Server APIs
- Target Group APIs
- Redirection APIs
- Other APIs
- Cloud Load Balancer APIs
- Classic CLB APIs
- Data Types
- Error Codes
- CLB API 2017
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- CLB Instance
- CLB Listener
- CLB Listener Overview
- Configuring TCP Listener
- Configuring UDP Listener
- Configuring TCP SSL Listener
- Configuring QUIC Listener
- Configuring HTTP Listener
- Configuring HTTPS Listener
- Load Balancing Methods
- Session Persistence
- Layer-7 Redirection Configuration
- Layer-7 Custom Configuration
- Layer-7 Domain Name Forwarding and URL Rules
- Using QUIC Protocol on CLB
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Real Server
- Health Check
- Certificate Management
- Monitoring and Alarm
- Log Management
- Cloud Access Management
- Classic CLB
- Best Practices
- Enabling Gzip Configuration & Testing
- HTTPS Forwarding Configurations
- Obtaining Real Client IPs
- Notes on SNAT and Non-SNAT Types for Private Network CLB
- Implementing HA Across Multiple AZs
- Load Balancing Algorithm Selection and Weight Configuration Examples
- Configuring WAF protection for CLB listening domain names
- Troubleshooting
- OPS Guidelines
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- Listener APIs
- Real Server APIs
- Target Group APIs
- Redirection APIs
- Other APIs
- Cloud Load Balancer APIs
- Classic CLB APIs
- Data Types
- Error Codes
- CLB API 2017
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
Notes on Getting Real Client IPs by CLB
All layer-4 (TCP/UDP/TCP SSL) and layer-7 (HTTP/HTTPS) CLB services support getting a real client IP directly on a backend CVM instance with no additional configuration required.
- For layer-4 CLB, the source IP obtained on the backend CVM instance is the client IP.
- For layer-7 CLB, you can use the
X-Forwarded-Fororremote_addrfield to directly get the client IP. For the access logs of layer-7 CLB, see Configuring Access Logs.
Note:
- For layer-4 CLB, the client IP can be directly obtained with no additional configuration required on the backend CVM instance.
- For other layer-7 load balancing services with SNAT enabled, you need to configure the backend CVM instance and then use
X-Forwarded-Forto get the real client IP.
Below are commonly used application server configuration schemes.
IIS 6 Configuration Scheme
- Download and install the F5XForwardedFor plugin module, copy
F5XForwardedFor.dllin thex86\Releaseorx64\Releasedirectory based on your server operating system version to a certain directory (such asC:\ISAPIFiltersin this document), and make sure that the IIS process has read permission to this directory. - Open the IIS Manager, find the currently opened website, right-click the website, and select Properties to open the properties page.
- On the properties page, switch to ISAPI Filters and click Add to pop up the Add/Edit Filter Properties window.
- In the Add/Edit Filter Properties window, enter "F5XForwardedFor" for "Filter name" and the full path to
F5XForwardedFor.dllfor "Executable" and then click OK. - Restart the IIS server for the configuration to take effect.
IIS 7 Configuration Scheme
- Download and install the F5XForwardedFor plugin module, copy
F5XFFHttpModule.dllandF5XFFHttpModule.iniin thex86\Releaseorx64\Releasedirectory based on your server operating system version to a certain directory (such asC:\x_forwarded_forin this document), and make sure that the IIS process has read permission to this directory. - Select IIS Server and double-click Modules.
- Click Configure Native Modules.
- In the pop-up window, click Register.
- Add the downloaded DLL files as shown below:
- After adding the files, select them and click OK.
- Add the above two DLL files in "ISAPI and CGI Restrictions" and set the restrictions to "Allow".
- Restart the IIS server for the configuration to take effect.
Apache Configuration Scheme
Install the third-party Apache module "mod_rpaf".
wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz tar zxvf mod_rpaf-0.6.tar.gz cd mod_rpaf-0.6 /usr/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.cModify the Apache configuration
/etc/httpd/conf/httpd.confby adding the following to the end of the file:LoadModule rpaf_module modules/mod_rpaf-2.0.so RPAFenable On RPAFsethostname On RPAFproxy_ips IP address (this is not the public IP provided by CLB. For the specific IP, query the Apache logs. Generally, there are two IP addresses and you need to enter both of them) RPAFheader X-Forwarded-ForAfter adding the above content, restart Apache.
/usr/sbin/apachectl restart
Nginx Configuration Scheme
You can use
http_realip_moduleto get the real client IP when Nginx is used as the server. However, this module is not installed in Nginx by default, and you need to recompile Nginx to add--with-http_realip_module.yum -y install gcc pcre pcre-devel zlib zlib-devel openssl openssl-devel wget http://nginx.org/download/nginx-1.17.0.tar.gz tar zxvf nginx-1.17.0.tar.gz cd nginx-1.17.0 ./configure --prefix=/path/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module make make installModify the
nginx.conffile.vi /etc/nginx/nginx.conf
Modify the configuration fields and information in red as follows:
Note:Here, you need to change
xx.xx.xx.xxto the actual IP address (not the public IP provided by CLB). For the specific IP address, query the previous Nginx logs. You need to enter all IP addresses if there are multiple ones.
fastcgi connect_timeout 300; fastcgi send_timeout 300; fastcgi read_timeout 300; fastcgi buffer_size 64k; fastcgi buffers 4 64k; fastcgi busy_buffers_size 128k; fastcgi temp_file_write_size 128k; set_real_ip_from xx.xx.xx.xx; real_ip_header X-Forwarded-For;
service nginx restart
- View Nginx access logs to get the real client IP.
cat /path/server/nginx/logs/access.log
Yes
No
Was this page helpful?