As the title. This is very important. Can be used for ip anti-spoofing.
2. Code.
In JSP, the method to obtain the client's IP address is: request.getRemoteAddr(), which is effective in most cases. However, after passing through Apache, Squid and other reverse proxy software, the real IP address of the client cannot be obtained.
If reverse proxy software is used, when the URL of http://192.168.1.110:2046/ is reverse-proxyed to the URL of http://www.javapeixun.com.cn/, it is obtained by the request.getRemoteAddr() method. The IP address is: 127.0.0.1 or 192.168.1.110, not the real IP of the client.
After passing through the proxy, because an intermediate layer is added between the client and the service, the server cannot directly obtain the client's IP, and the server-side application cannot directly return the address to the client through the forwarding request. But in the HTTP header information of the forwarding request, X-FORWARDED-FOR information is added. Used to track the original client IP address and the server address requested by the original client. When we visit http://www.javapeixun.com.cn /index.jsp/, it is not that our browser actually accesses the index.jsp file on the server, but the proxy server first accesses http://www.javapeixun.com.cn/index.jsp/ 192.168.1.110: 2046/index.jsp, the proxy server will return the accessed result to our browser, because it is the proxy server to access index.jsp, so the method of request.getRemoteAddr() is obtained in index.jsp The IP is actually the proxy server's address, not the client's IP address.
Therefore, the first method to obtain the real IP address of the client can be obtained:
public String getRemortIP(HttpServletRequest request) {
if (request.getHeader("x-forwarded-for") == null) {
return request.getRemoteAddr();
}
return request.getHeader("x-forwarded-for");
}
But when I visit http://www.5a520.cn /index.jsp/, the returned IP address is always unknown, not 127.0.0.1 or 192.168.1.110 as shown above, and I visit http:/ /192.168.1.110:2046/index.jsp, it can return the real IP address of the client, and write a method to verify it. The reason lies in Squid. The forwarded_for item in the configuration file of squid.conf is on by default. If forwarded_for is set to off, then: X-Forwarded-For: unknown
Therefore, the second method of obtaining the real IP address of the client can be obtained:
public String getIpAddr(HttpServletRequest request) {
String ip = request.getHeader("x-forwarded-for");
if(ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("Proxy-Client-IP");
}
if(ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("WL-Proxy-Client-IP");
}
if(ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getRemoteAddr();
}
return ip;
}
However, if the multi-level reverse proxy is passed, the value of X-Forwarded-For is not one, but a series of IP values. Which is the real IP of the real client?
The answer is to take the first non-unknown valid IP string in X-Forwarded-For.
For example: X-Forwarded-For: 192.168.1.110, 192.168.1.120, 192.168.1.130, 192.168.1.100 The real IP of the user is: 192.168.1.110