← Back

Accurately Restore the Real Client IP Address in OpenResty Edge

Yichun Zhang Posted Apr 10, 2024 Updated Apr 19, 2024

5 mins read

Views

Today, I’d like to demonstrate another feature in OpenResty Edge: getting the real client IP in OpenResty Edge when requests go through 3rd-party proxies.

In general, the client address obtained by OpenResty Edge is the proxy’s address when requests go through 3rd-party proxies.

Sometimes, we may need to get the real client IP address, such as using client addresses in conditions, limiting request rates, or logging.

Set “Trusted hosts to set real IP” and “Real IP from” Globally

Let’s go to a web console of OpenResty Edge. This is our sample deployment of the console. Every user would have their own deployment.

First, enter the Global Config Page.

we have multiple configurations to set.

First, we need to set Trusted hosts to set real IP.

The Trusted hosts to set real IP is a list of IP addresses allowed to set the Real IP header. The Real IP header will be ignored for requests not from trusted hosts.

Enter the IP address 52.53.251.226.

Next, we must specify the request header with the proxy’s real IP. Generally, it’s X_Forwarded_For.

The last IP address in the header will be used if there are multiple IPs.

Save it.

We need to make a new release to push out our new changes.

Click on this button.

Ship it!

Now our changes have been pushed to all the gateway clusters and servers. Now the new configuration has been pushed to all the gateway clusters and servers.

Our configuration changes do NOT require server reload, restart, or binary upgrade. So it’s very efficient and scalable.

Configure the Application to Output the Client Address

Let’s configure the application to output the client address now.

We can still use our continuing sample application, test-edge.com.

Enter the application.

Go to the “Page Rules” page.

We have a page rule already defined. This page rule sets up a reverse proxy to an upstream.

We’ll implement a page rule in EdgeLang to output the client’s address. We’ve introduced EdgeLang previously in a separate blog post.

click Edit button.

The condition is set to true, indicating that it applies to all subsequent parts.

Output the client address.

Save.

We need to make a new release to push out our new changes, as always.

Click on this button.

Ship it!

Our new release is now synchronized to all our gateway servers.

Check the Client Address Received on OpenResty Edge

We’ll send requests to gateway servers and check the client address received on OpenResty Edge.

On the terminal, we log onto a remote server in the United States as a proxy.

Send an HTTP request using the curl command-line utility.

curl http://test-edge.com/

Note that the client address is the proxy’s address.

Next, let’s send an HTTP request with the X-Forwarded-For header; the real client address is in the header.

curl http://test-edge.com/ -H "X-Forwarded-For: 104.28.243.40"

Note that the client address is the real address: 104.28.243.40.

Let’s consider the scenario where the X-Forwarded-For header contains multiple IP addresses.

curl http://test-edge.com/ -H "X-Forwarded-For: 104.28.243.40, 105.56.18.52"

Note that the last IP address in the header is used.

Quit the server.

We log onto another server, which is not one of the Trusted hosts.

Send a request with X-Forwarded-For header as well.

curl http://test-edge.com/ -H "X-Forwarded-For: 104.28.243.40"

Note that the client address is still the proxy’s address.

The real IP is supposed to affect everything related to client IPs.

Let’s see some examples. The Client city and Client address will be affected.

The action Limit request rate is also affected.

However, the feature limits the rate of SSL or TLS handshakes of HTTPS requests, which won’t be affected because the client address was not rewritten during the handshake.

What is OpenResty Edge

OpenResty Edge is a powerful distributed traffic management and private CDN software product based on OpenResty. It provides various features such as page rules, web application firewall (WAF), load balancing, and many more.

Request to try out OpenResty Edge

If you like this tutorial, please subscribe to this blog site and/or our YouTube channel. Thank you!

About The Author

Yichun Zhang (Github handle: agentzh), is the original creator of the OpenResty^® open-source project and the CEO of OpenResty Inc..

Yichun is one of the earliest advocates and leaders of “open-source technology”. He worked at many internationally renowned tech companies, such as Cloudflare, Yahoo!. He is a pioneer of “edge computing”, “dynamic tracing” and “machine coding”, with over 22 years of programming and 16 years of open source experience. Yichun is well-known in the open-source space as the project leader of OpenResty^®, adopted by more than 40 million global website domains.

OpenResty Inc., the enterprise software start-up founded by Yichun in 2017, has customers from some of the biggest companies in the world. Its flagship product, OpenResty XRay, is a non-invasive profiling and troubleshooting tool that significantly enhances and utilizes dynamic tracing technology. And its OpenResty Edge product is a powerful distributed traffic management and private CDN software product.

As an avid open-source contributor, Yichun has contributed more than a million lines of code to numerous open-source projects, including Linux kernel, Nginx, LuaJIT, GDB, SystemTap, LLVM, Perl, etc. He has also authored more than 60 open-source software libraries.