public class WebUtil {
/**
* Headers about client's IP
*/
private static final String[] HEADERS_ABOUT_CLIENT_IP = {
"X-Forwarded-For",
"Proxy-Client-IP",//Apache(Weblogic Plug-In Enable)+WebLogic 搭配
"WL-Proxy-Client-IP",//Apache(Weblogic Plug-In Enable)+WebLogic 搭配
"HTTP_X_FORWARDED_FOR",
"HTTP_X_FORWARDED",
"HTTP_X_CLUSTER_CLIENT_IP",
"HTTP_CLIENT_IP",//ng配置 proxy_set_header HTTP_CLIENT_IP $remote_addr; 才有用
"HTTP_FORWARDED_FOR",
"HTTP_FORWARDED",
"HTTP_VIA",
"REMOTE_ADDR"
};
public static String getClientIpAddr(HttpServletRequest request) {
for (String header : HEADERS_ABOUT_CLIENT_IP) {
String ip = request.getHeader(header);
if (ip != null && ip.length() != 0 && !"unknown".equalsIgnoreCase(ip)){
//return ip;
//X-Forwarded-For: client1, proxy1, proxy2
String[] ips = ip.split(",");
return ips[0];
}
}
return request.getRemoteAddr();
}
}
REMOTE_ADDR
如果没有任何代理,REMOTE_ADDR为客户端ip,如果有代理则为代理机器ip。
x_forwarded_for
为了避免上述情况,代理服务器会增加一个x_forwarded_for头信息。
X-Forwarded-For: client1, proxy1, proxy2
可以看出,XFF 头信息可以有多个,中间用逗号分隔,第一项为真实的客户端ip,剩下的就是曾经经过的代理或负载均衡服务器的ip地址。
HAProxy增加一下配置:option forwardfor
配置option forwardfor except 10.1.10.0/24 可以针对内网请求不设置x_forwarded_for。
Nginx代理规则增加:proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
nginx realip模块保证REMOTE_ADDR中就是客户端的真实ip。
电商课题:客户端的IP地址伪造、CDN、反向代理、获取的那些事儿