DocsICP FilingConsole
官方文档
首页

Preserve client source IP

更新时间:
复制 MD 格式
产品详情
我的收藏

When you use Global Accelerator (GA) to accelerate your application services, you can enable client IP preservation to retrieve the originating client IP address. For Layer 7 (HTTP/HTTPS) listeners, the address is retrieved from theX-Forwarded-For field in the HTTP request header. For Layer 4 (TCP/UDP) listeners, retrieval is either automatic or requires your backend service to support Proxy Protocol, depending on the backend service type.

Note

Client IP preservation is supported only for smart routing listeners. This feature is not supported by default for custom routing listeners. To enable it for a custom routing listener, contact your account manager.

HTTP and HTTPS listeners

Method

For HTTP and HTTPS listeners, Global Accelerator (GA) uses the Preserve Client IP feature to retrieve the originating client IP. This feature is enabled by default.

GA stores the originating client IP address in theX-Forwarded-For field of the HTTP request header. You can configure your backend server to retrieve this IP address. The first IP address in the field is the originating client IP address.

X-Forwarded-For: <originating client IP, proxy server 1 IP, proxy server 2 IP, ...>

Procedure

This procedure uses an Nginx 1.20.1 server running on Alibaba Cloud Linux 3 as an example. The steps may vary depending on your environment.

  1. Run nginx -V | grep http_realip_module to check whether http_realip_module is installed. Nginx uses this module to parse X-Forwarded-For records.

    If the output includes --with-http_realip_module, the module is installed. Proceed to the next step.

    Sample output if the http_realip_module is installed

    nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.1.1k  FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-compat --with-debug --with-file-aio --with-google_perftools_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
    Note

    • http_realip_module is available since Nginx 1.0.4 (2011). If you use an older version, back up your configuration and upgrade Nginx.

    • If http_realip_module is not installed, recompile Nginx with the module or reinstall Nginx using a package manager such as yum.

  2. Edit the Nginx configuration file. Run nginx -t to find the file path. The default is /etc/nginx/nginx.conf.

    http {
  # Make sure that the log_format includes $http_x_forwarded_for. This variable records the value of X-Forwarded-For.
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
  
  # ...
}

  3. Run the sudo nginx -s reload command to reload the Nginx configuration.

  4. Retrieve the originating client IP address.

    You can check the Nginx access log to verify that the originating client IP address is successfully retrieved.

    Run thetail -n <number_of_lines> <log_path> command. In the returned log entry, check the field corresponding to the$http_x_forwarded_for variable. The first IP address is the originating client IP address.

    In this example, the default Nginx log file path is/var/log/nginx/access.log.

    [root@izxxx ~]# tail -n 1 /var/log/nginx/access.log
172.20xxx - - [17/Oct/2024:17:46:49 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0" "47.243.xxx"
    Note

    To prevent health check logs from overwriting entries that contain originating client IP addresses, view multiple log entries at a time or temporarily increase the health check interval.

TCP listeners

Methods

To retrieve the originating client IP address, enable the Preserve Client IP feature and select a retrieval method.

Supported methods vary by backend service type.

  • Automatic: GA forwards the originating client IP address directly to the backend service. The client IP address retrieved by the backend server is the originating client IP address.

  • Proxy Protocol: The backend server must support Proxy Protocol to obtain the originating client IP address.

    What is Proxy Protocol?

    Proxy Protocol is a protocol for forwarding a client's original network connection information from a proxy server to a backend server.

    Typically, when a proxy server forwards a client request, it rewrites the request header and replaces the client's original IP address and port with its own. This prevents the backend server from obtaining the client's originating network information.

    With Proxy Protocol, the proxy server encapsulates the client's original connection information within a Proxy Protocol header and prepends it to the data forwarded to the backend server. The backend server can then parse this header to obtain the original information, such as the source IP address, source port, and protocol.

    This allows the backend server to perform more accurate logging, access control, and traffic monitoring.

    Important

    • Proxy Protocol requires support from both the proxy server and the backend server to function correctly. If your backend server cannot parse Proxy Protocol, enabling this feature will likely cause parsing errors and affect service availability.

    • GA listeners use Proxy Protocol to transmit original connection information (such as source IP, destination IP, source port, and destination port) by prepending it to the TCP data stream. This process does not discard or overwrite any existing data.

    • GA supports only Proxy Protocol v1, which supports only the TCP protocol. For more information, see The PROXY protocol.

Alibaba Cloud backend services

Backend service type

IP preservation support

Supported methods

ECS instance

Supported

The ECS instance must be in a virtual private cloud (VPC), and its security group must allow traffic from all originating client IP addresses.

  • Automatic

  • Proxy Protocol

Application Load Balancer (ALB)

Not supported

Not applicable

Network Load Balancer (NLB)

Supported

  • Automatic (supported only when the backend server of the NLB instance is an ECS instance or an ENI)

  • Proxy Protocol

Classic Load Balancer (CLB)

Supported

The security group of the backend server for the CLB instance must allow traffic from all originating client IP addresses.

Note that backend servers cannot obtain originating client IP addresses in the following scenarios:

  • The backend servers of your CLB instance are ECS instances that are deployed in a classic network.

  • The listener of your CLB instance uses the HTTP or HTTPS protocol.

  • Automatic (supported only when the backend server of the CLB instance is an ECS instance or an ENI)

  • Proxy Protocol

Object Storage Service (OSS)

Not supported

Not applicable

Elastic Network Interface (ENI)

Supported

The security group of the ENI must allow traffic from all originating client IP addresses.

  • Automatic

  • Proxy Protocol

Custom private IP

Supported

Proxy Protocol

Alibaba Cloud Public IP

Warning

If an endpoint is an Alibaba Cloud public IP, detaching the public IP from its original instance and attaching it to another may cause client IP preservation to fail and interrupt traffic. To restore this feature for the endpoint, you can delete and recreate the endpoint, or contact your account manager.

Attached to a VPC-type ECS instance

Supported

  • Automatic

  • Proxy Protocol

Attached to an NLB instance

Supported

  • Automatic (supported only when the backend server of the NLB instance is an ECS instance or an ENI)

  • Proxy Protocol

Attached to an ALB instance

Not supported

Not applicable

Attached to a private CLB instance

Supported

  • Automatic (supported only when the backend server of the CLB instance is an ECS instance or an ENI)

  • Proxy Protocol

Attached to an ENI

Supported

  • Automatic

  • Proxy Protocol

Attached to a public NAT gateway

Supported

Proxy Protocol

External backend services

Backend service type

IP preservation support

Supported methods

Custom public IP

Supported

Proxy Protocol

Custom Domain Name

Supported
Note

If a client accesses GA through an IPv6 accelerated IP address, or if GA communicates with the backend service over IPv6, you must use Proxy Protocol to retrieve the originating client IP address.

Procedure

This procedure uses an Nginx 1.20.1 server running on Alibaba Cloud Linux 3 as an example. The steps may vary depending on your environment.

Automatic retrieval

  1. Enable client IP preservation.

    1. Log on to the Global Accelerator (GA) console.

    2. On the Instances page, find the target GA instance, and click Configure Listener in the Actions column.

    3. On the Listener tab, find the target TCP listener, and click Edit Listener in the Actions column.

    4. On the Configure Listener & Protocol page, click Next.

    5. On the Configure Endpoint Group page, select Maintain from the Preserve Client IP drop-down list, and then click Next.

      If the backend service is deployed on Alibaba Cloud, Retrieve Client IP Address is set to Automatically Retrieve Client IP by default.

      Set Preserve Client IP to Preserve. If an IPv6 client accesses the backend service, select Proxy Protocol as the Method to Retrieve Originating Client IP.

    6. On the Configuration Review page, confirm the configuration and click Submit.

  2. Check the Nginx configuration file.

    Run thenginx -t command to find the path of the configuration file. The default path is typically/etc/nginx/nginx.conf.

    Note

    To process HTTP or HTTPS traffic, the Nginx server must support thehttp{} module. To process TCP traffic, it must also support thestream{} module.

    Thestream{} module was added in Nginx 1.9.0 and is not installed by default. You must compile and install it to use the stream{} module.

    # Process HTTP traffic
http {
  # Default configuration
  log_format  main  '$remote_addr- $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
  access_log  /var/log/nginx/access.log  main;
  # Example: listener on port 80
  server {
        listen 80;
        #...
       }
}
# Process TCP traffic (add if needed)
stream {
    log_format main_stream '$remote_addr - [$time_local] '
                        '"$protocol" $status $bytes_sent $bytes_received '
                        '"$session_time"';
    access_log  /var/log/nginx/stream_access.log  main_stream;
# Example: listener on port 4000
    server {
        listen 4000;
        #...
    }
}

  3. Retrieve the originating client IP address.

    • Method 1: Check the Nginx log to verify the originating client IP address.

      Run thetail -n <number_of_lines> <log_path> command. In the returned log entry, the first IP address, which corresponds to the$remote_addr variable, is the originating client IP address.

      • For HTTP traffic:

        In this example, the log file path is/var/log/nginx/access.log.

        [root@xxx ~]# tail -n 1 /var/log/nginx/access.log
47.243.xxx.xxx - [21/Oct/2024:14:01:06 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 xxx"

      • For TCP traffic:

        In this example, the log file path is/var/log/nginx/stream_access.log.

        [root@iZrxxx      xxx]# tail -n 5 /var/log/nginx/stream_access.log
121.40.xxx.xxx [24/Jan/2025:10:29:34 +0800] "TCP" 200 0 16 "3.217"
121.40.xxx.xxx [24/Jan/2025:10:29:44 +0800] "TCP" 200 0 15 "2.935"
121.40.xxx.xxx [24/Jan/2025:10:29:57 +0800] "TCP" 200 0 7 "4.908"
121.40.xxx.xxx [24/Jan/2025:10:30:16 +0800] "TCP" 200 0 26 "10.474"
121.40.xxx.xxx [24/Jan/2025:10:30:25 +0800] "TCP" 200 0 10 "3.368"

    • Method 2: Capture data packets to verify the originating client IP address.

      Run thetcpdump tcp port [listener_port] -n -X -s 0 command to check the data packets for the originating client IP address.

      [root@iZrxxx ~]# tcpdump tcp port 4000 -n -X -s 0
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:31:59.216390 IP 121.40.xxx.xxx.52352 > 172.20.106.148.terabase: Flags [S], seq 3468880686, win 65535, options [nop,nop,nop,nop,nop,nop,nop,nop,mss 1460,sackOK,TS val 1793314199 ecr 0,nop,wscale 9], length 0
        0x0000:  4500 0044 801a 4000 4006 36a9 7928 f41f  E..D..@.@.6.y(..
        0x0010:  ac14 6a94 cc80 0fa0 cec2 eb2e 0000 0000  ..j.............
        0x0020:  c002 ffff d173 0000 0101 0101 0101 0101  .....s..........
        0x0030:  0204 05b4 0402 080a 6ae3 cd97 0000 0000  ........j.......
        0x0040:  0103 0309                                 ....
10:31:59.216419 IP 172.20.106.148.terabase > 121.40.xxx.xxx.52352: Flags [S.], seq 28697778872, ack 3468880687, win 65160, options [mss 1460,sackOK,TS val 1603313796 ecr 1793314199,nop,wscale 7], length 0
        0x0000:  4500 003c 0000 4000 4006 b6cb ac14 6a94  E..<..@.@.....j.
        0x0010:  7928 f41f 0fa0 cc80 ab0d 59b8 cec2 eb2f  y(........Y..../
        0x0020:  a012 fe88 841f 0000 0204 05b4 0402 080a  ................
        0x0030:  5f90 a084 6ae3 cd97 0103 0307             _...j.......

Proxy Protocol

  1. Enable client IP preservation.

    1. Log on to the Global Accelerator (GA) console.

    2. On the Instances page, find the target GA instance, and click Configure Listener in the Actions column.

    3. On the Listener tab, find the target TCP listener, and click Edit Listener in the Actions column.

    4. On the Configure Listener & Protocol page, click Next.

    5. On the Configure Endpoint Group page, select Maintain from the Preserve Client IP drop-down list, and then click Next.

      If the backend service is deployed outside Alibaba Cloud, Retrieve Client IP Address is set to Proxy Protocol by default.

      On the Configure Endpoint Group page, set Preserve Client IP to Preserve.

    6. On the Configuration Review page, confirm the configuration and click Submit.

  2. Modify the Nginx configuration file as shown in the example below and save the changes.

    Run thenginx -t command to find the path of the configuration file. The default path is typically /etc/nginx/nginx.conf, but the actual path depends on your environment.

    Note

    To process HTTP or HTTPS traffic, the Nginx server must support thehttp{} module. To process TCP traffic, it must also support thestream{} module.

    Thestream{} module was added in Nginx 1.9.0 and is not installed by default. You must compile and install it to use the stream{} module.

    # Process HTTP traffic
http {
  # Add the $proxy_protocol_addr variable to the log format to record the originating client IP.
  log_format  main  '$proxy_protocol_addr - $remote_addr- $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';     
  access_log  /var/log/nginx/access.log  main;
  # Enable proxy_protocol parsing on the listener port (port 80 in this example).
  server {
    listen 80   proxy_protocol;
    #...
  }
}
# Process TCP traffic (add if needed)
stream {
    # Add the $proxy_protocol_addr variable to the log format to record the originating client IP.
    log_format  main_stream  '$proxy_protocol_addr - $remote_addr - $protocol [$time_local] '
                              '$status $bytes_sent $bytes_received $session_time';
    access_log /var/log/nginx/stream_access.log main_stream; 
   # Enable proxy_protocol parsing on the listener port (port 12345 in this example).
    server {
        listen 12345 proxy_protocol;
        #...
    }
}

  3. Run thesudo nginx -s reload command to reload the Nginx configuration file.

  4. Retrieve the originating client IP address.

    You can check the Nginx log to verify the originating client IP address.

    Run thetail -n <number_of_lines> <log_path> command. In the returned log entry, the IP address that corresponds to the$proxy_protocol_addr variable is the originating client IP address.

    • For HTTP traffic:

      In this example, the log file path is/var/log/nginx/access.log.

      [root@xxx    ~]#  tail -n 1 /var/log/nginx/access.log
47.243.xxx  - 47.251.xxx - - [21/Oct/2024:16:57:41 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0"

    • For TCP traffic:

      In this example, the log file path is/var/log/nginx/stream_access.log.

      [root@i-xxx ~]# tail -n 1 /var/log/nginx/stream_access.log
47.243   47.251    - TCP [23/Oct/2024:17:19:44 +0800] 200 0 1 0.000

UDP listeners

Method

To retrieve the originating client IP address, enable the Preserve Client IP feature. For UDP listeners, this feature supports only the Automatically Retrieve Client IP method, where GA forwards the originating client IP address directly to the backend service.

When you enable Preserve Client IP for a UDP listener, the following limitations apply:

  • Only pay-as-you-go GA instances are supported.

    If your pay-as-you-go GA instance does not support enabling client IP preservation for UDP listeners, the instance version may not support this feature. To use this feature, contact your account manager to request an instance upgrade.

  • This is supported only when the Backend Service Type is ECS , ENI , or NLB . For NLB-type backend services, the Preserve Client IP feature is not enabled by default. To use this feature, contact your account manager.

  • Backend servers can only retrieve originating IP addresses from clients of the same IP version (IPv4 to IPv4 and IPv6 to IPv6).

Procedure

This procedure uses an Nginx 1.20.1 server running on Alibaba Cloud Linux 3 as an example. The steps may vary depending on your environment.

  1. Enable client IP preservation.

    1. Log on to the Global Accelerator (GA) console.

    2. On the Instances page, find the target GA instance, and click Configure Listener in the Actions column.

    3. On the Listener tab, find the target UDP listener, and click Edit Listener in the Actions column.

    4. On the Configure Listener & Protocol page, click Next.

    5. On the Configure Endpoint Group page, select Maintain from the Preserve Client IP drop-down list, and then click Next.

      The Retrieve Client IP Address is set to Automatic by default.

    6. On the Configuration Review page, confirm the configuration and click Submit.

  2. Check the Nginx configuration file.

    Run thenginx -t command to find the path of the configuration file. The default path is typically/etc/nginx/nginx.conf.

    Note

    To process UDP traffic, the Nginx server must support thestream{} module.

    Thestream{} module was added in Nginx 1.9.0 and is not installed by default. You must compile and install it to use the stream{} module.

    #...
# Process UDP traffic (make sure to include this module)
stream {
    log_format main_stream '$remote_addr - [$time_local] '
                        '"$protocol" $status $bytes_sent $bytes_received '
                        '"$session_time"';
    access_log  /var/log/nginx/stream_access.log  main_stream;
# Example: UDP listener on port 4000
    server {
        listen 4000 udp;
        #...
    }
}

  3. Retrieve the originating client IP address.

    • Method 1: Check the Nginx log to verify the originating client IP address.

      Run thetail -n <number_of_lines> <log_path> command. In the returned log entry, the first IP address, which corresponds to the$remote_addr variable, is the originating client IP address.

      In this example, the log file path is/var/log/nginx/stream_access.log.

      [root@iZ2zxxx          ~]# tail -n 5 /var/log/nginx/stream_access.log
47.251.xxx.xxx - [24/Jan/2025:13:37:43 +0800] "UDP" 200 0 12 "600.099"
47.251.xxx.xxx - [24/Jan/2025:13:39:11 +0800] "UDP" 200 0 12 "600.088"
47.251.xxx.xxx - [24/Jan/2025:13:39:28 +0800] "UDP" 200 0 14 "600.012"
47.251.xxx.xxx - [24/Jan/2025:13:39:37 +0800] "UDP" 200 0 14 "600.009"
47.251.xxx.xxx - [24/Jan/2025:13:41:04 +0800] "UDP" 200 0 14 "600.086"

    • Method 2: Capture data packets to verify the originating client IP address.

      Run thetcpdump udp port [listener_port] -n -X -s 0 command to check the data packets for the originating client IP address.

      [root@iz2xxx ~]# tcpdump udp port 4000 -n -X -s 0
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:04:06.047337 IP 47.251.xxx.xxx 55491 > 10.5.120.213.terabase: UDP, length 14
0x0000: 4500 002a 6e1e 4000 4011 a221 2ffb 77ae  E..*n.@.@..!/w.
0x0010: 0a05 78d5 d8c3 0fa0 0016 12fb 4865 6c6c  ..x.........Hell
0x0020: 6f2c 2055 4450 3032 210a                  o, UDP02!.

FAQ

Troubleshooting client IP preservation

  • For an HTTP or HTTPS listener, this feature fails if the backend server cannot process the X-Forwarded-For header.

  • For a TCP listener:

    • If the backend service is deployed on Alibaba Cloud, this feature fails if the backend server or the EIP-associated instance is outside a VPC.

    • If the backend service is deployed outside Alibaba Cloud, the backend server must support parsing Proxy Protocol to obtain the client IP address. Otherwise, this feature fails.

      If your backend server cannot parse Proxy Protocol, it cannot correctly process accelerated traffic.

    • If an IPv6 client accesses an IPv4 backend service, the backend server must support parsing Proxy Protocol to obtain the client IP address. Otherwise, this feature fails.

  • For a UDP listener, this feature is not supported when an IPv6 client accesses an IPv4 backend service.

Disabling client IP address preservation

For HTTP or HTTPS listeners, client IP address preservation is enabled by default and cannot be disabled.

You can disable this feature for TCP and UDP listeners in the console by following these steps:

  1. On the Instances page, find your Global Accelerator instance and click Configure Listener in the Actions column.

  2. On the Listeners tab, find your listener and click Edit in the Actions column.

  3. On the Configure Listener & Protocol page, click Next.

  4. On the Configure Endpoint Group page, set Preserve Client IP to Do Not Preserve and click Next.

  5. On the Configuration Review page, verify the configuration and click Submit.

Retrieving client IP in IPv6-to-IPv4 translation

  • For an HTTP or HTTPS listener: The client IP addresses of both IPv4 and IPv6 clients are available only in the X-Forwarded-For header of HTTP requests.

  • For a TCP listener: The client IP address of an IPv6 client can be obtained only by using Proxy Protocol. This method requires the Proxy Protocol to support parsing Proxy Protocol. Otherwise, the access request fails.

  • For a UDP listener: Retrieving the client IP address of an IPv6 client is not supported.

Related documents

Console

  • Alternatively, use the GA access log feature. Create an access log for the endpoint group, and the collected logs are delivered to a Simple Log Service (SLS) Logstore in the same region. The originating client IP is available in the client_ip field on the Raw Logs tab of the Logstore.

  • For more information about the configuration and considerations for backend services in an endpoint group, seeEndpoint groups and endpoints andAdd and manage endpoint groups for smart routing listeners.

API

When calling these API operations, use the EnableClientIPPreservation parameter for the automatic method and the EnableProxyProtocol parameter for the Proxy Protocol method.

Previous:Enable and manage health checksNext:Forwarding rules