Today, I’d like to demonstrate another feature in OpenResty Edge: getting the real client IP in OpenResty Edge when requests go through 3rd-party proxies.

In general, the client address obtained by OpenResty Edge is the proxy’s address when requests go through 3rd-party proxies.

Embeded image

Sometimes, we may need to get the real client IP address, such as using client addresses in conditions, limiting request rates, or logging.

Embeded image

Set “Trusted hosts to set real IP” and “Real IP from” Globally

Let’s go to a web console of OpenResty Edge. This is our sample deployment of the console. Every user would have their own deployment.

Screenshot

First, enter the Global Config Page.

Screenshot

we have multiple configurations to set.

Screenshot

First, we need to set Trusted hosts to set real IP.

Screenshot

The Trusted hosts to set real IP is a list of IP addresses allowed to set the Real IP header. The Real IP header will be ignored for requests not from trusted hosts.

Enter the IP address 52.53.251.226.

Screenshot

Next, we must specify the request header with the proxy’s real IP. Generally, it’s X_Forwarded_For.

Screenshot

The last IP address in the header will be used if there are multiple IPs.

Embeded image

Save it.

Screenshot

We need to make a new release to push out our new changes.

Screenshot

Click on this button.

Screenshot

Ship it!

Screenshot

Now our changes have been pushed to all the gateway clusters and servers. Now the new configuration has been pushed to all the gateway clusters and servers.

Embeded video

Embeded video

Embeded video

Our configuration changes do NOT require server reload, restart, or binary upgrade. So it’s very efficient and scalable.

Embeded image

Configure the Application to Output the Client Address

Let’s configure the application to output the client address now.

Screenshot

We can still use our continuing sample application, test-edge.com.

Screenshot

Enter the application.

Screenshot

Go to the “Page Rules” page.

Screenshot

We have a page rule already defined. This page rule sets up a reverse proxy to an upstream.

Screenshot

We’ll implement a page rule in EdgeLang to output the client’s address. We’ve introduced EdgeLang previously in a separate blog post.

Screenshot

click Edit button.

Screenshot

The condition is set to true, indicating that it applies to all subsequent parts.

Screenshot

Output the client address.

Screenshot

Save.

Screenshot

We need to make a new release to push out our new changes, as always.

Screenshot

Click on this button.

Screenshot

Ship it!

Screenshot

Our new release is now synchronized to all our gateway servers.

Screenshot

Check the Client Address Received on OpenResty Edge

We’ll send requests to gateway servers and check the client address received on OpenResty Edge.

On the terminal, we log onto a remote server in the United States as a proxy.

Screenshot

Send an HTTP request using the curl command-line utility.

curl http://test-edge.com/

Screenshot

Note that the client address is the proxy’s address.

Screenshot

Next, let’s send an HTTP request with the X-Forwarded-For header; the real client address is in the header.

curl http://test-edge.com/ -H "X-Forwarded-For: 104.28.243.40"

Screenshot

Note that the client address is the real address: 104.28.243.40.

Screenshot

Let’s consider the scenario where the X-Forwarded-For header contains multiple IP addresses.

curl http://test-edge.com/ -H "X-Forwarded-For: 104.28.243.40, 105.56.18.52"

Screenshot

Note that the last IP address in the header is used.

Screenshot

Quit the server.

Screenshot

We log onto another server, which is not one of the Trusted hosts.

Screenshot

Send a request with X-Forwarded-For header as well.

curl http://test-edge.com/ -H "X-Forwarded-For: 104.28.243.40"

Screenshot

Note that the client address is still the proxy’s address.

Screenshot

The real IP is supposed to affect everything related to client IPs.

Let’s see some examples. The Client city and Client address will be affected.

Screenshot

Screenshot

The action Limit request rate is also affected.

Screenshot

However, the feature limits the rate of SSL or TLS handshakes of HTTPS requests, which won’t be affected because the client address was not rewritten during the handshake.

Screenshot

What is OpenResty Edge

OpenResty Edge is our all-in-one gateway software for microservices and distributed traffic architectures. It combines traffic management, private CDN construction, API gateway, security, and more to help you easily build, manage, and protect modern applications. OpenResty Edge delivers industry-leading performance and scalability to meet the demanding needs of high concurrency, high load scenarios. It supports scheduling containerized application traffic such as K8s and manages massive domains, making it easy to meet the needs of large websites and complex applications.

If you like this tutorial, please subscribe to this blog site and/or our YouTube channel. Thank you!

About The Author

Yichun Zhang (Github handle: agentzh), is the original creator of the OpenResty® open-source project and the CEO of OpenResty Inc..

Yichun is one of the earliest advocates and leaders of “open-source technology”. He worked at many internationally renowned tech companies, such as Cloudflare, Yahoo!. He is a pioneer of “edge computing”, “dynamic tracing” and “machine coding”, with over 22 years of programming and 16 years of open source experience. Yichun is well-known in the open-source space as the project leader of OpenResty®, adopted by more than 40 million global website domains.

OpenResty Inc., the enterprise software start-up founded by Yichun in 2017, has customers from some of the biggest companies in the world. Its flagship product, OpenResty XRay, is a non-invasive profiling and troubleshooting tool that significantly enhances and utilizes dynamic tracing technology. And its OpenResty Edge product is a powerful distributed traffic management and private CDN software product.

As an avid open-source contributor, Yichun has contributed more than a million lines of code to numerous open-source projects, including Linux kernel, Nginx, LuaJIT, GDB, SystemTap, LLVM, Perl, etc. He has also authored more than 60 open-source software libraries.