HttpServletRequest对象的远程IP地址被Apache代理隐藏 [英] Remote IP Address for HttpServletRequest Object being obscured by Apache Proxy
问题描述
我正在用Java编写一个应用程序,该应用程序使用来自底层数据库的数据来提供网页。我根据一些IP限制限制访问网页。基本上,任何属于已接受范围的IP都将被允许访问该网页,并且此范围之外的任何IP都将被重定向到错误页面。要获取尝试访问该页面的用户的IP地址,我使用以下内容:
I am writing an application in Java that serves a web page with data from an underlying database. I am limiting access to the web page based on some IP restrictions. Basically any IP that falls into the 'Accepted' range will be allowed to access the web page and any IP outside of this range will be redirected to an error page. To get the IP address of the user attempting to access the page I am using the following:
String userIPAddress = request.getRemoteAddr();
'request'是我的HttpServletRequest对象。
Where 'request' is my HttpServletRequest Object.
我遇到的问题是这个网页是通过Apache Web服务器代理的。
The issue I am running into is that this web page is being proxied through an Apache Web Server.
发生这种情况时,它会丢失客户端IP地址并采用防火墙的IP地址。因此,当我访问request.getRemoteAddr()时,无论客户在何处尝试访问该网页,它都将返回相同的IP。
When this happens, it loses the clients IP address and adopts the IP address of our firewall. So when I access request.getRemoteAddr(), it will return the same IP no matter where the customer attempts to access the web page from.
内部访问网页时通过直接IP地址我的IP检查工作正常。当您通过代理访问时,问题就出现了。
When accessing the web page internally via direct IP address my IP check works just fine. The issue presents itself when you access through the proxy.
我是否可以通过编程方式访问客户端的实际IP地址?或者这是必须通过Apache Web服务器完成/更改以允许此信息通过的东西?在这种情况下,如果这是一个更好的论坛,我可以发布到服务器故障。
Is there anything that I can do programmatically to access the clients actual IP address? Or is this something that has to be done/changed via the Apache web server to allow this information to pass through? In that case I can post to Server Fault if that would be a better forum.
非常感谢您的帮助。
最好的问候。
推荐答案
当以反向代理模式行事时(例如,使用ProxyPass指令),Apache mod_proxy_http 添加了多个请求标头,以便将信息传递到源服务器,其中一个是 X-Forwarded-For ,它将包含客户端的IP地址。
When acting in a reverse-proxy mode (using the ProxyPass directive, for example), Apache mod_proxy_http adds several request headers in order to pass information to the origin server, one of them being the X-Forwarded-For which will contain the IP address of the client.
请记住,如果原始请求已经包含此标头(这根本不常见),Apache会将客户端IP地址附加到existig值(s)所以你会得到逗号+空格分隔的IP地址列表。最后(最右边)的IP地址始终是连接到最后一个代理(您的Apache)的IP地址,这意味着您要对其进行测试。
Keep in mind that, if the original request already contained this header (which is not unusual at all), Apache will append the client IP address to existig value(s) so you will get comma+space separated list of IP addresses. The last (rightmost) IP address is always the IP address that connects to the last proxy (your Apache), which means that is the one you want to test against.
这篇关于HttpServletRequest对象的远程IP地址被Apache代理隐藏的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
