How to get the real IP address of client by JSP

Time:2020-6-3

In JSP, the method to obtain the client IP is: request.getRemoteAddr ()。 This method is effective in most cases, but it can’t get the real IP address of the client through Apache, squid and other reverse proxy software.

If the reverse agent software is used, the http://192.168.1.110 The URL reverse proxy for: 3306 / http://www.8888.com/ When using the request.getRemoteAddr () the IP address obtained by the method is: 127.0.0.1 or 192.168.1.110, not the real IP address of the client.

After proxy, because the middle layer is added between the client and the service, the server can’t get the IP of the client directly, and the server application can’t directly return to the client through the address of forwarding request. However, x-forward-for information is added to the HTTP header of the forward request. To track the original client IP address and the server address requested by the original client. When we visit http://www.8888.com/index.jsp/ In fact, it is not our browser that actually accesses the server index.jsp The file is accessed by the proxy server first http://192.168.1.110 :3306/ index.jsp , the proxy server will return the accessed results to our browser, because it is the proxy server to access index.jsp Yes, so index.jsp Medium pass request.getRemoteAddr The IP obtained by () method is actually the address of the proxy server, not the IP address of the client.

Then we can get the real IP address of the client


public String getRemortIP(HttpServletRequest request)
{
  if (request.getHeader("x-forwarded-for") == null)
  {
    return request.getRemoteAddr();
  }
  return request.getHeader("x-forwarded-for");
}

But when I visit http://www.xxx.com/index.jsp/ The returned IP address is always unknown, not 127.0.0.1 or 192.168.1.110 as shown above, and I visit http://192.168.1.110 :3306/ index.jsp Then, it can return the real IP address of the client and write a method to verify. The reason is squid. squid.conf Forward configuration file of_ For item is on by default, if forward_ If “for” is set to “off”, then: x-forwarded-for: unknown

Then we can get the real IP address of the client


public String getIpAddr(HttpServletRequest request)
{
  String ip = request.getHeader("x-forwarded-for");
  if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip))
  {
    ip = request.getHeader("Proxy-Client-IP");
  }
  if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip))
  {
    ip = request.getHeader("WL-Proxy-Client-IP");
  }
  if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip))
  {
    ip = request.getRemoteAddr();
  }
  return ip;
}

However, if the multi-level reverse proxy is adopted, the value of x-forwarded-for is not only one, but a string of IP values. Which is the real IP of the real client?

The answer is: take the first non unknown valid IP string in x-forwarded-for.

For example: x-forward-for: 192.168.1.110, 192.168.1.120, 192.168.1.130, 192.168.1.100

The real IP address of the user is: 192.168.1.110

The above two methods are feasible. Do not use them alone request.getRemoteAddr () method gets the client IP, which is not ideal.

I hope this article will help you in your study.