How to retrieve the client IP address of my users' requests?

Modified on Thu, 6 Dec, 2018 at 12:21 AM

Fasterize serves your web pages and therefore all queries to your origin will come from the IP addresses of the Fasterize platform.



Using a proxy-like service like Fasterize, the original server logs will display the Fasterize machine IPs instead of the IP Client. This makes the IP Client anonymous, which prevents the prevention of abusive activity for a particular IP.


 

X-Forwarded-For et True-Client-IP


To obtain the IP address of users on your original servers, we have added two HTTP headers to requests to your server: X-Forwarded-For ou True-Client-IP.

The X-Forwarded-For header is a list of IP addresses that forwarded the request. The first IP address is the IP address of the browser.



HTML


X-Forwarded-For: client, proxy1, proxy2

True-Client-IP: client



Test the compatibility of your server


It is possible to emulate the Fasterize connection using the Chrome ModHeader extension to insert the X-Forwarded-For header that would be sent in the request headers to your server.


For example, you can add the following header X-Forwarded-For: 109.190.109.118 via the extension and order a product on your site. Then, just look in the logs of your server and in the backoffice if the IP address 109.190.109.118 is well recovered.

Implementation on your server


Here are some tips to correctly configure your web server to retrieve the value of the header X-Forwarded-For:

  • Apache  : we recommend using the RemoteIP module .


You can compile and install the module with

apxs -i -a -c mod_remoteip.c


Then add this line in your Apache vhost

RemoteIPHeader True-Client-IP

  • Nginx  : we recommend the use of RealIP
  • Varnish:  The logic of vcl_recv must contain:


if (req.http.x-forwarded-for) {

    set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;

} else {

    set req.http.X-Forwarded-For = client.ip;

}



Updating server logs


If you do not want to add a module for Apache or Nginx , you can only add the client IP address in the logs.


For Apache , open the  /etc/httpd/conf/httpd.conf file , replace the CustomLog line with:

LogFormat "%{True-Client-IP}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy

SetEnvIf True-Client-IP "^.*\..*\..*\..*" forwarded

CustomLog "/usr/local/apache/domlogs/mydomain.com" combined env=!forwarded

CustomLog "/usr/local/apache/domlogs/mydomain.com" proxy env=forwarded


Apache will then choose the correct log format based on the detection of the True-Client-IP header.


Implementation on your CMS


If you can not change the code of your server, you can modify your CMS to manage proxies:

  • WordPress : Use the Proxy Real IP or Real IP plugin .
  • Magento 1 and 2 : You must add the following section on your local.xml to correctly interpret the True-Client-IP or X-Forwarded-For headers in the <global> tag:


<remote_addr_headers>

<!-- list headers that contain real client IP if webserver is behind a reverse proxy --> <header1>HTTP_TRUE_CLIENT_IP</header1>

<header2>HTTP_X_FORWARDED_FOR</header2>

</remote_addr_headers>


  • PHP : If your website or application is written in PHP, the real IP address of users can be retrieved using the server variable $_SERVER['HTTP_X_FORWARDED_FOR'] .


IP blocking via .htaccess


If you are currently using an IP address blocking for a folder on your site, simply update to the following:

Order Deny,Allow

Deny from all

Allow from 172.135.135.234

Allow from 172.135.135.235


towards :

Order Deny,Allow

Deny from all

SetEnvIf X-Forwarded-For "^172\.135\.1135\.234" AllowAccess_1

SetEnvIf X-Forwarded-For "^172\.135\.1135\.235" AllowAccess_2

Allow from env=AllowAccess_1

Allow from env=AllowAccess_2


Scenarios using IP addresses


Here are some scenarios for which you need to use the IP address of users on your servers:

  • Serve different content based on the location of users, determined by the IP address.
  • Check if user session requests come from the same machine. This practice is common for websites such as forums and couriers.
  • Prevent abuse by blocking requests when there are many to come from the same IP address.
  • Detect fraud.
  • Analyze user behaviors.
  • ...


If your website is affected by any of the above situations, we strongly recommend that you change your original server to use the header X-Forwarded-For ou True-Client-IP.


Even if your server does not currently use the IP address of users, the situation may change in the future. For this reason, we recommend that you make these changes in all cases. You do not incur any risk to make these changes even if you do not use the IP address of users to date.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article