Today I’d demonstrate another feature in OpenResty Edge. That is, to pass the real client IP addresses to backend servers via special request headers. Usually, the client IP addresses seen by the backend servers or origin sites are those of the gateway or proxy servers instead of the original clients'. If the origin site needs the real client IP addresses, we need to create a new request header and put the client IP addresse there. This way, the backend servers can just read the request header.

Embeded image

Set up page rules for applications

Let’s go to a web console of OpenResty Edge. This is our sample deployment of the console. Every user has her own deployment.

Screenshot

We can still use our continuing sample application, test-edge.com.

Screenshot

Enter the application.

Screenshot

We already have an upstream defined in our earlier tutorial.

Screenshot

This my_backend upstream has a backend server defined already.

Screenshot

Note the IP address of the backend server ends with .100. We will use this IP address later.

Screenshot

We also have a page rule already defined.

Screenshot

This page rule sets up a reverse proxy to the upstream we just saw.

Screenshot

Now let’s add a new page rule to set client ip to the X-Forwarded-For request header.

Screenshot

We enable a rule condition to check for the URI /test-client-ip/.

Screenshot

Let’s see all the variables we can choose from.

Screenshot

Select URI.

Screenshot

We choose the string equality operator.

Screenshot

Screenshot

Enter the URI /test-client-ip/.

Screenshot

Then add a new action.

Screenshot

We can search for the action.

Screenshot

Search for “Set proxy header”.

Screenshot

Select it.

Screenshot

We enter the header name, “X-Forwarded-For”. It’s a commonly used request for this purpose. You can use any other names you like, like X-Real-IP.

Screenshot

Choose the value type. We can specify a literal string value for the request.

Screenshot

or specify a built-in variable provided by OpenResty Edge.

Screenshot

It supports several built-in variables and more are coming in the future.

Screenshot

We choose Client address here.

Screenshot

We make sure this rule runs before any existing normal rules.

Screenshot

Save our changes to this page rule.

Screenshot

We need to make a new release to push out our new changes, as always.

Screenshot

Click on this button.

Screenshot

Ship it!

Screenshot

Our new release is now synchronized to all our gateway servers.

Screenshot

Now the new page rule has been pushed to all the gateway clusters and servers.

Embeded video

Embeded video

Our configuration changes do NOT require server reload, restart, or binary upgrade. So it’s very efficient and scalable.

Embeded image

Test

We’ll then send test requests to the gateway servers. And then we check the “X-Forwarded-For” request header received by the backend server.

Embeded image

On the terminal, we log onto a remote server in London, UK.

Screenshot

Note the IP address of the server ends of .240.

Screenshot

Log onto the server.

Screenshot

Send an HTTP request with the curl command-line utility.

curl http://test-edge.com/test-client-ip/

Screenshot

So the real client IP for this request should also end with .240.

Screenshot

Quit the server.

Screenshot

Then we log into the backend server of the IP address ending with .100:

Screenshot

Let’s see the access log format defined in the Nginx configuration file.

cd /usr/local/openresty/nginx/

Screenshot

Show the top 30 lines of the Nginx configuration file.

Screenshot

Find the log_format directive.

Screenshot

Note that the “X-Forwarded-For” header value is the last field in an access log message.

Screenshot

Check the last line in the backend server’s access log file.

clear
tail -1 logs/access.log

Screenshot

The X-Forwarded-For header of the forwarded request is indeed the IP address ending with .240.

Screenshot

The IP address of the real client is in the request header.

Embeded image

We log onto another server in San Francisco, USA.

Screenshot

Note the IP address of the server ends of .226.

Screenshot

Log onto the server.

Screenshot

Send a test request.

curl http://test-edge.com/test-client-ip/

Screenshot

So the real client IP for this request should end with .226 as well.

Screenshot

Exit the server.

Screenshot

Check the last line in the backend servers access log file.

Screenshot

The X-Forwarded-For header of the forwarded request ends with 226, exactly what we’d expect.

Screenshot

The IP address of the real client is in the request header again.

Sometimes, the OpenResty Edge gateway servers themselves may be behind another proxy. In such cases, OpenResty Edge also need to read real client IP addresses from some special request headers. We covers this topic in another tutorial.

Embeded image

That’s what I’d like to cover today.

If you like this tutorial, please subscribe to this blog site and/or our YouTube channel. Thank you!

About The Author

Yichun Zhang (Github handle: agentzh), is the original creator of the OpenResty® open-source project and the CEO of OpenResty Inc..

Yichun is one of the earliest advocates and leaders of “open-source technology”. He worked at many internationally renowned tech companies, such as Cloudflare, Yahoo!. He is a pioneer of “edge computing”, “dynamic tracing” and “machine coding”, with over 22 years of programming and 16 years of open source experience. Yichun is well-known in the open-source space as the project leader of OpenResty®, adopted by more than 40 million global website domains.

OpenResty Inc., the enterprise software start-up founded by Yichun in 2017, has customers from some of the biggest companies in the world. Its flagship product, OpenResty XRay, is a non-invasive profiling and troubleshooting tool that significantly enhances and utilizes dynamic tracing technology. And its OpenResty Edge product is a powerful distributed traffic management and private CDN software product.

As an avid open-source contributor, Yichun has contributed more than a million lines of code to numerous open-source projects, including Linux kernel, Nginx, LuaJIT, GDB, SystemTap, LLVM, Perl, etc. He has also authored more than 60 open-source software libraries.