x-forward-for科普

当使用Nginx作为反向代理时,通过request.getRemoteAddr()无法获取客户端IP,而是得到Nginx的IP。解决方案是通过Nginx配置`proxy_set_header X-real-ip $remote_addr;`或将`X-Forwarded-For`头传递。本文介绍了X-Forwarded-For的原理,包括$proxy_add_x_forwarded_for和$http_x_forwarded_for变量的作用,帮助理解如何在Web服务器端获取用户的真实IP。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

问题背景:

在实际应用中,我们可能需要获取用户的ip地址,比如做异地登陆的判断,或者统计ip访问次数等,通常情况下我们使用request.getRemoteAddr()就可以获取到客户端ip,但是当我们使用了nginx作为反向代理后,使用request.getRemoteAddr()获取到的就一直是nginx服务器的ip的地址,那这时应该怎么办? 

part1:解决方案

我在查阅资料时,有一本名叫《实战nginx》的书,作者张晏,这本书上有这么一段话“经过反向代理后,由于在客户端和web服务器之间增加了中间层,因此web服务器无法直接拿到客户端的ip,通过$remote_addr变量拿到的将是反向代理服务器的ip地址”。这句话的意思是说,当你使用了nginx反向服务器后,在web端使request.getRemoteAddr()(本质上就是获取$remote_addr),取得的是nginx的地址,即$remote_addr变量中封装的是nginx的地址,当然是没法获得用户的真实ip的,但是,nginx是可以获得用户的真实ip的,也就是说nginx使用$remote_addr变量时获得的是用户的真实ip,如果我们想要在web端获得用户的真实ip,就必须在nginx这里作一个赋值操作,如下:

proxy_set_header            X-real-ip $remote_addr;

其中这个X-real-ip是一个自定义的变量名,名字可以随意取,这样做完之后,用户的真实ip就被放在X-real-ip这个变量里了,然后,在web端可以这样获取:

request.getAttribute("X-real-ip")

这样就明白了吧。

part2:原理介绍

这里我们将nginx里的相关变量解释一下,通常我们会看到有这样一些配置


                
### X-Forward-For Header Purpose and Usage The `X-Forward-For` header is a de facto standard HTTP header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. This header allows servers to identify original clients when they are behind proxies, which might otherwise obscure this information. When a request passes through multiple proxies, each intermediate proxy adds its own IP address to the list maintained by the `X-Forward-For` header. The format typically consists of a comma-separated list where the first IP represents the initial client's IP address followed by any subsequent intermediaries' addresses[^1]. Here’s how one can inspect and utilize the `X-Forward-For` header within Python using Flask as an example: ```python from flask import request @app.route('/') def index(): # Get all forwarded IPs from the X-Forwarded-For header. forwarded_ips = request.headers.getlist("X-Forwarded-For") if forwarded_ips: # Take only the last IP in case there were several layers of proxies. user_ip = forwarded_ips[-1] else: # If no forward headers exist, use direct remote addr. user_ip = request.remote_addr return f"Your IP Address: {user_ip}" ``` In environments with trusted reverse proxies configured between end-users and application servers, administrators should ensure that these intermediary devices properly append their respective IP addresses into existing `X-For` fields rather than overwriting them entirely. Additionally, applications must validate whether incoming connections originate via expected gateway points before trusting such metadata implicitly provided by external entities without verification mechanisms in place[^3].
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值