Global Accelerator (GA) provides a client IP address preservation feature. After you enable this feature, you can view preserved client IP addresses on backend servers. This topic describes how to enable client IP address preservation in different scenarios and view preserved client IP addresses on backend servers.
Prerequisites
A listener is created for your Global Accelerator instance. For more information, see Add and manage intelligent routing listeners.
Background information
By default, after GA forwards a request to a backend server, the backend server can obtain only the IP address of the endpoint group to which the backend server belongs. The backend server cannot obtain the IP address of the client that sends the request. If you want the backend server to obtain the IP address of the client, you must enable client IP address preservation for the GA instance. Whether a GA instance supports client IP address preservation depends on the protocol that is used by the listener of the GA instance.
HTTP and HTTPS: support client IP address preservation. The IP address of a client is preserved in the
X-Forwarded-For
HTTP header. A backend server obtains the IP address of the client from theX-Forwarded-For
HTTP header.UDP: does not support client IP address preservation.
TCP: supports client IP address preservation. You may need to modify the configurations of backend servers based on the type of backend service so that the backend servers can obtain client IP addresses. The following table describes how to configure backend servers.
Backend service location
Backend service type
Client IP address preservation
Whether to modify the configurations of the backend servers
Description
Alibaba Cloud
Alibaba Cloud public IP address
Based on the associated instance:
Elastic Compute Service (ECS) instance in a VPC: supported
Network Load Balancer (NLB) instance: supported
Application Load Balancer (ALB) instance: not supported
Internal-facing Classic Load Balancer (CLB) instance: supported
Internet NAT gateway: supported
WarningIf the endpoint is an Alibaba Cloud public IP address, and the public IP address is disassociated from the original instance and associated with another instance, client IP address preservation may fail and traffic may be interrupted. To restore the client IP address preservation feature of the endpoint, you can delete and recreate the endpoint, or contact your account manager for assistance.
Associated with an ECS instance: not required
Associated with an NLB instance: required
Associated with an internal-facing CLB instance: not required
Associated with an Internet NAT gateway:
Existing NAT gateways created before October 2022: required
NAT gateways created after October 2022: not required
Required: After you enable client IP address preservation, GA uses Proxy Protocol to preserve client IP addresses. Therefore, the backend servers must support Proxy Protocol.
ImportantIf the backend servers do not support Proxy Protocol, the backend servers cannot parse the Proxy Protocol headers in the requests.
Not required: After you enable client IP address preservation, the backend servers can obtain client IP addresses. You do not need to modify the configurations of the backend servers.
ECS
Supported
The ECS instance must be deployed in a VPC, and a security group rule is set to allow all client IP addresses to access the ECS instance.
Not required
ENI
Supported
A security group rule is set to allow all client IP addresses to access the elastic network interface (ENI).
OSS
Not supported
vSwitch
Not supported by default
If you want to use this feature, contact your account manager.
CLB
Supported
A security group rule is set to allow all client IP addresses to access the CLB backend server.
In the following scenarios, the backend servers cannot obtain client IP addresses:
The backend servers of the CLB instance are ECS instances that are deployed in the classic network.
HTTP or HTTPS is used for the listeners of the CLB instance.
ALB
Not supported
NLB
Supported
Required
Third-party cloud
Custom IP address
Supported
Required
Custom domain name
Supported
Proxy Protocol is an Internet protocol that allows you to add a Proxy Protocol header to a TCP packet and include the client IP address in the request.
When Proxy Protocol is used, a backend server processes data only after the server receives a complete and valid Proxy Protocol header. Therefore, a listener cannot forward requests that contain the Proxy Protocol header and requests that do not contain the Proxy Protocol header to the same backend server port. If the first data packet that arrives at the backend server does not comply with the Proxy Protocol format, the backend server closes the connection to the client.
Enable client IP address preservation when an HTTP or HTTPS listener is used to distribute requests
By default, client IP address preservation is enabled for an HTTP or HTTPS listener. Backend servers can obtain client IP addresses from the X-Forwarded-For
HTTP header.
Enable client IP address preservation.
By default, client IP address preservation is enabled for HTTP and HTTPS listeners. GA preserves the IP address of a client in the
X-Forwarded-For
HTTP header before GA forwards the request to a backend server. After the backend server receives the request, you can obtain the client IP address from theX-Forwarded-For
HTTP header.Obtain the IP address of a client.
The following example shows the format of the
X-Forwarded-For
HTTP header. The first IP address is the IP address of a client.X-Forwarded-For: client IP address, IP address of Proxy Server 1, IP address of Proxy Server 2,...
Enable client IP address preservation when a TCP listener is used to distribute requests to backend servers on Alibaba Cloud
If your GA instance uses a TCP listener and the backend servers are deployed on Alibaba Cloud, you can enable client IP address preservation without making additional changes.
Enable client IP address preservation.
Log on to the GA console .
On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
On the Listeners tab, find the listener that you want to modify and click Modify in the Actions column.
In the Configure Listener & Protocol step, click Next.
In the Configure Endpoint Group step, select Preserve from the Preserve Client IP drop-down list and click Next.
If backend services are deployed on Alibaba Cloud, Retrieve Client IP is set to Automatically Retrieve Client IP by default.
Automatically Retrieve Client IP: IPv4 clients access if backend services, we recommend that you select this option. In this mode, client IP addresses are automatically obtained. You do not need to configure backend services. If backend services are not deployed on Alibaba Cloud, you cannot select this option.
Proxy Protocol: If backend services are accessed by IPv6 clients, we recommend that you select this option. In this mode, the client IP addresses can be obtained only if the backend servers support Proxy Protocol.
For more information, see the "Background information" section of this topic.
In the Confirm step, confirm the configurations and click Submit.
Obtain the IP address of a client.
This example shows how to view a preserved client IP address on an ECS instance that runs Linux.
Log on to the ECS instance that runs Linux.
Run the following command to capture an HTTP request:
tcpdump tcp port [Listening port] -n -X -s 0
Check the client IP address in the captured request.
The result shows that the client IP address is preserved and can be viewed on the backend server.
If client IP address preservation is disabled, you can view only the IP address of the endpoint group to which the backend server belongs.
Enable client IP address preservation when a TCP listener is used to distribute requests to backend servers outside Alibaba Cloud
To enable client IP address preservation for a TCP listener that is associated with backend servers deployed outside Alibaba Cloud, make sure that the backend servers support Proxy Protocol. In this section, an NGINX server is used as an example to describe how to parse the Proxy Protocol header and obtain a client IP address.
Enable client IP address preservation.
Log on to the GA console .
On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
On the Listeners tab, find the listener that you want to modify and click Modify in the Actions column.
In the Configure Listener & Protocol step, click Next.
In the Configure Endpoint Group step, select Preserve from the Preserve Client IP drop-down list, and then click Next.
If backend services are not deployed on Alibaba Cloud, Retrieve Client IP is set to Proxy Protocol by default.
Automatically Retrieve Client IP: IPv4 clients access if backend services, we recommend that you select this option. In this mode, client IP addresses are automatically obtained. You do not need to configure backend services. If backend services are not deployed on Alibaba Cloud, you cannot select this option.
Proxy Protocol: If backend services are accessed by IPv6 clients, we recommend that you select this option. In this mode, the client IP addresses can be obtained only if the backend servers support Proxy Protocol.
For more information, see the "Background information" section of this topic.
In the Confirm step, confirm the configurations and click Submit.
Configure the NGINX server to accept the Proxy Protocol header.
The
http{}
andstream{}
modules of NGINX can accept the Proxy Protocol header. You can specify a port to accept the Proxy Protocol header in thehttp{}
orstream{}
module.http { #... server { listen 8080 proxy_protocol; # Accept and parse the Proxy Protocol header on port 8080. #... } } stream { #... server { listen 1235 proxy_protocol; # Accept and parse the Proxy Protocol header on port 1235. #... } }
Obtain the IP address of a client.
After a request is received on the specified port, NGINX parses the Proxy Protocol header in the request and preserves the client IP address in the proxy_protocol_addr variable. Therefore, you can use one of the following methods to obtain the IP address of the client:
If an HTTP request is received, you can preserve the client IP address in the following HTTP request header:
http { proxy_set_header X-Real-IP $proxy_protocol_addr; proxy_set_header X-Forwarded-For $proxy_protocol_addr; }
The backend server can obtain the client IP address from the
X-Forwarded-For HTTP
header. The first IP address in the HTTP header is the IP address of the client.X-Forwarded-For: client IP address, IP address of Proxy Server 1, IP address of Proxy Server 2,...
If an HTTP request or a TCP request is received, you can preserve the client IP address in a flow log. The backend server can obtain the client IP address from the flow log.
Modify log_format in the
http{}
orstream{}
module to preserve the client IP address in a flow log.http { #... log_format combined '$proxy_protocol_addr - $remote_user [$time_local] ' ##Add the proxy_protocol_addr variable to log_format in the http{} module. The client IP address is preserved in the proxy in the proxy_protocol_addr variable. '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; } #... stream { #... log_format basic '$proxy_protocol_addr - [$time_local] ' ##Add the proxy_protocol_addr variable to log_format in the stream{} module. The client IP address is preserved in the proxy_protocol_addr variable. '$protocol $status $bytes_sent $bytes_received ' '$session_time'; }
Run the following command to query the flow log and obtain the client IP address:
The following code block is a complete example on how to use Proxy Protocol to preserve client IP addresses:
worker_processes 4; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; log_format main '$proxy_protocol_addr $remote_addr - $remote_user [$time_local] "$request" '##Add the proxy_protocol_addr variable to log_format in the http{} module. The client IP address is preserved in the proxy_protocol_addr variable. '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; keepalive_timeout 65; upstream backend { server 192.XX.XX.36:8080; server 192.XX.XX.37:8080; keepalive 2000; } server { listen 80 proxy_protocol; ## Accept and parse the Proxy Protocol header on port 80. server_name example.com; proxy_set_header X-Real-IP $proxy_protocol_addr; ## Preserve the client IP address in the HTTP header field before the request is sent to a backend server. proxy_set_header X-Forwarded-For $proxy_protocol_addr; access_log /var/log/nginx/access.log main; location / { proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Connection ""; } } } stream { log_format tcp_basic '$proxy_protocol_addr - [$time_local] ' ##Add the proxy_protocol_addr variable to log_format in the stream{} module. The client IP address is preserved in the proxy_protocol_addr variable. '$protocol $status $bytes_sent $bytes_received ' '$session_time'; upstream stream_backend { server 192.XX.XX.36:2003; server 192.XX.XX.37:2003; } server { listen 1234 proxy_protocol; ## Accept and parse the Proxy Protocol header on port 1234. access_log /var/log/nginx/access_tcp.log tcp_basic; proxy_pass stream_backend; } }
Query the flow log. The first IP address in the flow log is the IP address of the client.