After your website is added to Web Application Firewall (WAF), WAF filters access requests to your website and then forwards normal requests to the origin server. The origin server can use the X-Forwarded-For header in back-to-origin requests to retrieve the originating IP addresses of clients. This topic describes how to configure web application servers and Kubernetes containers to retrieve the originating IP addresses of clients. Web application servers include NGINX, IIS 6, IIS 7, Apache, and Tomcat servers.

Background

The X-Forwarded-For header is used to record the originating IP addresses of clients. WAF adds the X-Forwarded-For header to the HTTP request header before forwarding the access requests to the next-hop server in the X-Forwarded-For:Client IP address format. If access requests pass through multiple intermediate proxy servers such as WAF, Anti-DDoS Pro or Anti-DDoS Premium, and Alibaba Cloud CDN, the X-Forwarded-For header records the originating IP addresses of clients and the IP addresses of intermediate proxy servers. The header records multiple IP addresses that are separated with commas (,). Example: X-Forwarded-For:Client IP address, IP address of Proxy Server 1, IP address of Proxy Server 2, IP address of Proxy Server 3, ….

Therefore, common Web application servers and Kubernetes containers can use the X-Forwarded-For header to retrieve the originating IP addresses of clients.

The following section describes how to configure the X-Forwarded-For header on NGINX, IIS 6, IIS 7, Apache, and Tomcat servers, as well as on the Kubernetes containers.
Notice Before you start, make sure that you have backed up the existing environment, including the Elastic Compute Service (ECS) instance snapshots and the configuration files of web application servers.

Configure NGINX servers

NGINX servers use the http_realip_module module to retrieve the originating IP addresses of clients. Use the following method to install the http_realip_module module and modify the configuration file of NGINX.

  1. Install the http_realip_module module.
    Run the # nginx -V | grep http_realip_module command on the NGINX server to check whether the module is installed.
    • If the module is installed, skip this step.
    • If the module is not installed, recompile NGINX and install the module.
      Note This module is not installed when NGINX is installed by using a quick installation package.
      wget http://nginx.org/download/nginx-1.12.2.tar.gz
      tar zxvf nginx-1.12.2.tar.gz
      cd nginx-1.12.2
      ./configure --user=www --group=www --prefix=/alidata/server/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_realip_module
      make
      make install
      kill -USR2 `cat /alidata/server/nginx/logs/nginx.pid`
      kill -QUIT `cat /alidata/server/nginx/logs/ nginx.pid.oldbin`
  2. Modify the configuration file of NGINX.
    1. Open the default.conf configuration file.
    2. Add the following content to location / {}:
      set_real_ip_from <ip_range1>;
      set_real_ip_from <ip_range2>;
      ...
      set_real_ip_from <ip_rangex>;
      real_ip_header X-Forwarded-For;

      <ip_range1>, <ip_range2>, and <ip_rangex> in the content are the back-to-origin CIDR blocks of WAF. For more information about the back-to-origin CIDR blocks of WAF, see Allow access from the back-to-origin CIDR blocks of WAF.

      Enter one back-to-origin CIDR block in each line. Assume that the back-to-origin CIDR block of WAF include 10.0.0.1, 10.0.0.2, and 10.0.0.3. Add the following content to location / {}:
      set_real_ip_from 10.0.0.1;
      set_real_ip_from 10.0.0.2;
      set_real_ip_from 10.0.0.3;
      real_ip_header X-Forwarded-For;
  3. Modify the log format.
    1. Open the nginx.conf configuration file and find log_format in the HTTP configuration.
    2. In log_format, replace the remote-address field with the x-forwarded-for field.
      The following content shows the modified log format:
      log_format  main  '$http_x_forwarded_for - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" ';
  4. Run the nginx -s reload command to restart NGINX.

Configure IIS 6 servers

IIS 6 servers use the F5XForwardedFor module to retrieve the originating IP addresses of clients. You can perform the following operations to install the F5XForwardedFor module.

  1. Copy the F5XForwardedFor.dll file from the x86\Release or x64\Release directory to a custom directory such as C:\ISAPIFilters\x86 and C:\ISAPIFilters\x64.
    Note
    • Make sure that the Internet Information Services (IIS) process has read and write permissions on the custom directory.
    • If the F5XForwardedFor.dll file does not exist in the x86\Release or x64\Release directory, click F5XForwardedFor.dll to download it and copy it to the custom directory.
  2. Open IIS Manager, find the website, right-click the website, and select Properties.
  3. On the ISAPI Filters tab, click Add. Configure the following parameters and click OK.
    Assume that your server runs a 32-bit operating system.
    • Filter name: Enter x_forwarded_for_x86.
    • Executable: Enter the full path of F5XForwardedFor.dll. Example: C:\ISAPIFilters\x86\F5XForwardedFor.dll.
  4. Restart the IIS 6 server for the configurations to take effect.

Configure IIS 7 servers

IIS 7 servers use the F5XForwardedFor module to retrieve the originating IP addresses of clients. You can perform the following operations to install the F5XForwardedFor module.

  1. Copy the F5XFFHttpModule.dll and F5XFFHttpModule.ini files from the x86\Release or x64\Release directory to a custom directory such as C:\x_forwarded_for\x86 or C:\x_forwarded_for\x64.
    Note
    • Make sure that the IIS process has read and write permissions on the custom directory.
    • If the files do not exist in the x86\Release or x64\Release directory, click F5XForwardedFor to download them.
  2. In the IIS Server section, double-click Module.
  3. On the Module page, click Configure Local Module in the Actions section on the right.
  4. In the Configure Local Module dialog box, click Register. Specify the following parameters and click OK.
    Assume that your server runs a 32-bit operating system.
    • Name: Enter x_forwarded_for_x86.
    • Path: Enter the full path of the F5XFFHttpModule.dll module. Example: C:\x_forwarded_for\x86\F5XFFHttpModule.dll.
  5. In the Configure Local Module dialog box, select the newly registered module and click OK.
  6. In the ISAPI and CGI Restrictions section, add the registered DLL file and set Restriction to Allow.
  7. Restart the IIS 7 server for the configurations to take effect.

Configure Apache servers

Configure Apache servers in Windows

The installation packages of Apache 2.4 and later versions provide the remoteip_module module file named mod_remoteip.so. You can use this module to retrieve the originating IP addresses of clients.

  1. Create a configuration file named httpd-remoteip.conf in the extra configuration folder of Apache (conf/extra/).
    Note You can load the related configurations by importing the remoteip.conf configuration file. This reduces the number of times that you modify the httpd.conf file and avoids service exceptions due to misoperations.
  2. Add the following content to the httpd-remoteip.conf configuration file:
    # Load the mod_remoteip.so module.
    LoadModule remoteip_module modules/mod_remoteip.so
    # Configure the RemoteIPHeader header.
    RemoteIPHeader X-Forwarded-For
    # Specify the back-to-origin CIDR blocks.
    RemoteIPInternalProxy <ip_range1> <ip_range2> ... <ip_rangex>

    <ip_range1>, <ip_range2>, and <ip_rangex> in the content are the back-to-origin CIDR blocks of WAF. For more information about the back-to-origin CIDR blocks of WAF, see Allow access from the back-to-origin CIDR blocks of WAF.

    Separate multiple back-to-origin CIDR blocks with spaces. Assume that the back-to-origin CIDR blocks of the proxy servers include 10.0.0.1, 10.0.0.2, and 10.0.0.3. Use the format similar to the following format:
    RemoteIPInternalProxy 10.0.0.1 10.0.0.2 10.0.0.3
  3. Add the following content to the conf/httpd.conf configuration file:
    Include conf/extra/httpd-remoteip.conf

    The preceding content inserts the httpd-remoteip.conf configuration file into conf/httpd.conf.

  4. Change the log format in the httpd.conf configuration file.
    LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%a %l %u %t \"%r\" %>s %b" common
  5. Restart Apache for the configurations to take effect.

Configure Apache servers in Linux

Perform the preceding steps to add the remoteip_module module (mod_remoteip.so) and configure the log format to retrieve the originating IP addresses of clients. The remoteip_module is a built-in module of Apache 2.4 and later versions.

If the version of Apache is earlier than 2.4, install the third-party module mod_rpaf to retrieve the originating IP addresses of clients.

  1. Install the mod_rpaf module.
    wget https://github.com/gnif/mod_rpaf/archive/v0.6.0.tar.gz
    tar zxvf mod_rpaf-0.6.tar.gz
    cd mod_rpaf-0.6
    /alidata/server/httpd/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
  2. Append the following content to the /alidata/server/httpd/conf/httpd.conf configuration file of Apache:
    LoadModule rpaf_module modules/mod_rpaf-2.0.so
    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips <rpaf IP address>
    RPAFheader X-Forwarded-For

    <rpaf IP address> in the content is the IP address of the mod_rpaf module. You can query the specific IP addresses in the Apache log. Do not use the IP addresses of the proxy servers. In most cases, two IP addresses are included, as shown in the following example:

    LoadModule rpaf_module modules/mod_rpaf-2.0.so
    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips 10.XX.XX.65 10.XX.XX.131
    RPAFheader X-Forwarded-For
  3. Restart Apache for the configurations to take effect.
    /alidata/server/httpd/bin/apachectl restart

For more information about the Apache modules, see Apache help documentation.

Configure Tomcat servers

Tomcat servers use the X-Forwarded-For header to retrieve the originating IP addresses of clients.

  1. Open the tomcat/conf/server.xml configuration file.
  2. Modify the AccessLogValve logging feature based on the following content:
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
    prefix="localhost_access_log." suffix=".txt"
    pattern="%{X-FORWARDED-FOR}i %l %u %t %r %s %b %D %q %{User-Agent}i %T" resolveHosts="false"/>

Configure Kubernetes containers

If your ECS instance is deployed on Kubernetes, Kubernetes records the originating IP addresses of clients in the X-Original-Forwarded-For field and the back-to-origin CIDR blocks of WAF in the X-Forwarded-For field. To obtain the originating IP addresses of clients, you must modify the container configuration file to enable an Ingress controller to add them to the X-Forwarded-For field.

You can modify the container configuration file by performing the following operations:

  1. Run the following command to modify the kube-system/nginx-configuration configuration file:
    kubectl -n kube-system edit cm nginx-configuration
  2. Add the following content to the configuration file:
    compute-full-forwarded-for: "true"
    forwarded-for-header: "X-Forwarded-For"
    use-forwarded-headers: "true"
  3. Save the configuration file.
    The configurations take effect immediately after you save the configuration file. Then, the Ingress controller adds the originating IP addresses of clients to the X-Forwarded-For field.
  4. Change the field that is used to obtain the originating IP addresses of clients to the X-Original-Forwarded-For field.