Today, I want to demonstrate OpenResty Edge Another function of OpenResty Edge Get the real client IP address.

In most cases, if the request passes through a third-party proxy, the client address received by OpenResty Edge will be the address of the proxy server.

Sometimes, we need to obtain the real client IP address for condition judgment, request frequency limitation, logging and other scenarios.

Set the "Real Source IP Trust Address" and "Real IP Source" in the global configuration

Let's go OpenResty Edge Admin Web Console for. This is a sample deployment of our console. Each user has its own local deployment.

First, enter the "Global Config" page.

Multiple configurations are required here.

First, we need to set Trusted hosts to set real IP 。

Trusted hosts to set real IP Yes Allow setting Real IP header List of IP addresses for. If the request comes from an untrusted host, Real IP header Will be ignored.

Enter IP address 52.53.251.226 。

Next, we need to specify the request header with the real IP address of the proxy. Generally, yes X_Forwarded_For 。

If there are multiple IP addresses in the request header, the system will use the last IP address in the list.

preservation.

We need to publish to push this new change.

Click this button.

release!

The changes have now been synchronized to all gateway servers. Now, the changes just made have been pushed to all gateway clusters and servers.

Our configuration changes do not require server reload, restart, or binary upgrade. So it is very efficient and scalable.

Configure the app to output the client address

Now let's set the application to output the client address.

We can continue to use the previous example application, test-edge.com.

Enter the application.

Go to the Page Rules page.

We have defined a page rule. This page rule sets a reverse proxy to an upstream.

We will use EdgeLang to create a page rule to output the client address. We have introduced EdgeLang in a special video.

Click the "Edit" button.

If the condition is set to true, it means that the next part will be executed in any case.

Output the client address.

preservation.

As usual, we need to publish to push this new change.

Click this button.

release!

The changes have now been synchronized to all gateway servers.

Verify the client address received in OpenResty Edge

We will make a request to the gateway server and verify that OpenResty Edge The client address received on.

We log in to the remote server in the United States through the terminal and use it as a proxy.

use curl The command line tool sends HTTP requests.

 curl  http://test-edge.com/

As you can see, the output client address is the proxy address.

Next, we will send a message with X-Forwarded-For The HTTP request in the header contains the real client address.

 curl  http://test-edge.com/  -H "X-Forwarded-For: 104.28.243.40"

As you can see, the output client address is the real address: 104.28.243.40.

Now take a look X-Forwarded-For The header contains multiple IP addresses.

 curl  http://test-edge.com/  -H "X-Forwarded-For: 104.28.243.40, 105.56.18.52"

You can see that the output is the last IP address of the header.

Exit the server.

We logged in to another server, which is not in the trusted host list.

Also send with X-Forwarded-For Header request.

 curl  http://test-edge.com/  -H "X-Forwarded-For: 104.28.243.40"

As you can see, the output client address is the proxy address.

The real IP will affect all transactions related to the client IP.

Let's look at some examples. Client city and Client address Will be affected.

Limit request rate Movement will also be affected.

However, the ability to limit the SSL or TLS handshake rate of HTTPS requests will not be affected because the client address is not rewritten during the handshake.

About OpenResty Edge

OpenResty Edge It is a fully functional gateway software that we independently developed and is most suitable for microservices and distributed traffic. It provides various functions such as page rules, Web Application Firewall (WAF), load balancing, etc.

If you like this tutorial, please subscribe to this blog site and our YouTube Channel or Station B channel 。 thank you!

About the author

Zhang Yichun is open source OpenResty ^® Project founder and OpenResty Inc. CEO and founder of the company.

Zhang Yichun (Github ID: agentzh) was born in Jiangsu, China, and now lives in the U.S. Bay Area. He was an advocate and leader of China's early open source technology and culture, and once worked for many internationally renowned high-tech enterprises, such as Cloudflare Yahoo, Alibaba, the pioneer of "edge computing", "dynamic tracking" and "machine programming", has more than 22 years of programming and 16 years of open source experience. As the leader of open source projects with more than 40 million global domain name users, he OpenResty ^® High tech enterprises created by open source projects OpenResty Inc. It is located in the center of Silicon Valley in the United States. Its two main products OpenResty XRay (Utilize Dynamic tracking Technology) and OpenResty Edge (The all-purpose gateway software most suitable for microservices and distributed traffic), widely favored by many listed and large enterprises worldwide. Besides OpenResty, Zhang Yichun has contributed more than one million lines of code to many open source projects, including Linux kernel, Nginx LuaJIT 、 GDB 、 SystemTap 、 LLVM , Perl, etc., and has written more than 60 open source software libraries.

Follow us

If you like this article, please follow us OpenResty Inc. Corporate Blog Site 。 You are also welcome to scan our WeChat official account:

translate

We provide English version Original text and Chinese translation (this article). We also welcome readers to provide translations in other languages. As long as the full text translation is not omitted, we will consider using it. Thank you very much!