All Products
Search
Document Center

Global Accelerator:Preserve client IP addresses

Last Updated:Dec 16, 2024

Global Accelerator (GA) provides a client IP address preservation feature. After you enable this feature, you can view preserved client IP addresses on backend servers. This topic describes how to enable client IP address preservation in different scenarios and view preserved client IP addresses on backend servers.

Prerequisites

A listener is created for your Global Accelerator instance. For more information, see Add and manage intelligent routing listeners.

Background information

By default, after GA forwards a request to a backend server, the backend server can obtain only the IP address of the endpoint group to which the backend server belongs. The backend server cannot obtain the IP address of the client that sends the request. If you want the backend server to obtain the IP address of the client, you must enable client IP address preservation for the GA instance. Whether a GA instance supports client IP address preservation depends on the protocol that is used by the listener of the GA instance.

  • HTTP and HTTPS: support client IP address preservation. The IP address of a client is preserved in the X-Forwarded-For HTTP header. A backend server obtains the IP address of the client from the X-Forwarded-For HTTP header.

  • UDP: does not support client IP address preservation.

  • TCP: supports client IP address preservation. You may need to modify the configurations of backend servers based on the type of backend service so that the backend servers can obtain client IP addresses. The following table describes how to configure backend servers.

    Backend service location

    Backend service type

    Client IP address preservation

    Whether to modify the configurations of the backend servers

    Description

    Alibaba Cloud

    Alibaba Cloud public IP address

    Based on the associated instance:

    • Elastic Compute Service (ECS) instance in a VPC: supported

    • Network Load Balancer (NLB) instance: supported

    • Application Load Balancer (ALB) instance: not supported

    • Internal-facing Classic Load Balancer (CLB) instance: supported

    • Internet NAT gateway: supported

    Warning

    If the endpoint is an Alibaba Cloud public IP address, and the public IP address is disassociated from the original instance and associated with another instance, client IP address preservation may fail and traffic may be interrupted. To restore the client IP address preservation feature of the endpoint, you can delete and recreate the endpoint, or contact your account manager for assistance.

    • Associated with an ECS instance: not required

    • Associated with an NLB instance: required

    • Associated with an internal-facing CLB instance: not required

    • Associated with an Internet NAT gateway:

      • Existing NAT gateways created before October 2022: required

      • NAT gateways created after October 2022: not required

    • Required: After you enable client IP address preservation, GA uses Proxy Protocol to preserve client IP addresses. Therefore, the backend servers must support Proxy Protocol.

      Important

      If the backend servers do not support Proxy Protocol, the backend servers cannot parse the Proxy Protocol headers in the requests.

    • Not required: After you enable client IP address preservation, the backend servers can obtain client IP addresses. You do not need to modify the configurations of the backend servers.

    ECS

    Supported

    The ECS instance must be deployed in a VPC, and a security group rule is set to allow all client IP addresses to access the ECS instance.

    Not required

    ENI

    Supported

    A security group rule is set to allow all client IP addresses to access the elastic network interface (ENI).

    OSS

    Not supported

    vSwitch

    Not supported by default

    If you want to use this feature, contact your account manager.

    CLB

    Supported

    A security group rule is set to allow all client IP addresses to access the CLB backend server.

    In the following scenarios, the backend servers cannot obtain client IP addresses:

    • The backend servers of the CLB instance are ECS instances that are deployed in the classic network.

    • HTTP or HTTPS is used for the listeners of the CLB instance.

    ALB

    Not supported

    NLB

    Supported

    Required

    Third-party cloud

    Custom IP address

    Supported

    Required

    Custom domain name

    Supported

Note

Proxy Protocol is an Internet protocol that allows you to add a Proxy Protocol header to a TCP packet and include the client IP address in the request.

When Proxy Protocol is used, a backend server processes data only after the server receives a complete and valid Proxy Protocol header. Therefore, a listener cannot forward requests that contain the Proxy Protocol header and requests that do not contain the Proxy Protocol header to the same backend server port. If the first data packet that arrives at the backend server does not comply with the Proxy Protocol format, the backend server closes the connection to the client.

Enable client IP address preservation when an HTTP or HTTPS listener is used to distribute requests

By default, client IP address preservation is enabled for an HTTP or HTTPS listener. Backend servers can obtain client IP addresses from the X-Forwarded-For HTTP header.

  1. Enable client IP address preservation.

    By default, client IP address preservation is enabled for HTTP and HTTPS listeners. GA preserves the IP address of a client in the X-Forwarded-For HTTP header before GA forwards the request to a backend server. After the backend server receives the request, you can obtain the client IP address from the X-Forwarded-For HTTP header.

  2. Obtain the IP address of a client.

    The following example shows the format of the X-Forwarded-For HTTP header. The first IP address is the IP address of a client.

    X-Forwarded-For: client IP address, IP address of Proxy Server 1, IP address of Proxy Server 2,...

Enable client IP address preservation when a TCP listener is used to distribute requests to backend servers on Alibaba Cloud

If your GA instance uses a TCP listener and the backend servers are deployed on Alibaba Cloud, you can enable client IP address preservation without making additional changes.

  1. Enable client IP address preservation.

    1. Log on to the GA console .

    2. On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.

    3. On the Listeners tab, find the listener that you want to modify and click Modify in the Actions column.

    4. In the Configure Listener & Protocol step, click Next.

    5. In the Configure Endpoint Group step, select Preserve from the Preserve Client IP drop-down list and click Next.

      If backend services are deployed on Alibaba Cloud, Retrieve Client IP is set to Automatically Retrieve Client IP by default.

      image.png

      • Automatically Retrieve Client IP: IPv4 clients access if backend services, we recommend that you select this option. In this mode, client IP addresses are automatically obtained. You do not need to configure backend services. If backend services are not deployed on Alibaba Cloud, you cannot select this option.

      • Proxy Protocol: If backend services are accessed by IPv6 clients, we recommend that you select this option. In this mode, the client IP addresses can be obtained only if the backend servers support Proxy Protocol.

      For more information, see the "Background information" section of this topic.

    6. In the Confirm step, confirm the configurations and click Submit.

  2. Obtain the IP address of a client.

    This example shows how to view a preserved client IP address on an ECS instance that runs Linux.

    1. Log on to the ECS instance that runs Linux.

    2. Run the following command to capture an HTTP request:

      tcpdump tcp port [Listening port] -n -X -s 0
    3. Check the client IP address in the captured request.

      The result shows that the client IP address is preserved and can be viewed on the backend server.开启保持客户端源IP功能后,后端服务器获取到客户端源IP

      If client IP address preservation is disabled, you can view only the IP address of the endpoint group to which the backend server belongs.未开启保持客户端源IP

Enable client IP address preservation when a TCP listener is used to distribute requests to backend servers outside Alibaba Cloud

To enable client IP address preservation for a TCP listener that is associated with backend servers deployed outside Alibaba Cloud, make sure that the backend servers support Proxy Protocol. In this section, an NGINX server is used as an example to describe how to parse the Proxy Protocol header and obtain a client IP address.

  1. Enable client IP address preservation.

    1. Log on to the GA console .

    2. On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.

    3. On the Listeners tab, find the listener that you want to modify and click Modify in the Actions column.

    4. In the Configure Listener & Protocol step, click Next.

    5. In the Configure Endpoint Group step, select Preserve from the Preserve Client IP drop-down list, and then click Next.

      If backend services are not deployed on Alibaba Cloud, Retrieve Client IP is set to Proxy Protocol by default.

      开启保持客户端源IP

      • Automatically Retrieve Client IP: IPv4 clients access if backend services, we recommend that you select this option. In this mode, client IP addresses are automatically obtained. You do not need to configure backend services. If backend services are not deployed on Alibaba Cloud, you cannot select this option.

      • Proxy Protocol: If backend services are accessed by IPv6 clients, we recommend that you select this option. In this mode, the client IP addresses can be obtained only if the backend servers support Proxy Protocol.

      For more information, see the "Background information" section of this topic.

    6. In the Confirm step, confirm the configurations and click Submit.

  2. Configure the NGINX server to accept the Proxy Protocol header.

    The http{} and stream{} modules of NGINX can accept the Proxy Protocol header. You can specify a port to accept the Proxy Protocol header in the http{} or stream{} module.

    http {
        #...
        server {
            listen 8080 proxy_protocol;    # Accept and parse the Proxy Protocol header on port 8080. 
            #...
        }
    }
       
    stream {
        #...
        server {
            listen 1235 proxy_protocol;    # Accept and parse the Proxy Protocol header on port 1235. 
            #...
        }
    }
  3. Obtain the IP address of a client.

    After a request is received on the specified port, NGINX parses the Proxy Protocol header in the request and preserves the client IP address in the proxy_protocol_addr variable. Therefore, you can use one of the following methods to obtain the IP address of the client:

    • If an HTTP request is received, you can preserve the client IP address in the following HTTP request header:

      http {
          proxy_set_header X-Real-IP       $proxy_protocol_addr;
          proxy_set_header X-Forwarded-For $proxy_protocol_addr;
      }

      The backend server can obtain the client IP address from the X-Forwarded-For HTTP header. The first IP address in the HTTP header is the IP address of the client.

      X-Forwarded-For: client IP address, IP address of Proxy Server 1, IP address of Proxy Server 2,...
    • If an HTTP request or a TCP request is received, you can preserve the client IP address in a flow log. The backend server can obtain the client IP address from the flow log.

      1. Modify log_format in the http{} or stream{} module to preserve the client IP address in a flow log.

        
        http {
            #...
            log_format combined '$proxy_protocol_addr - $remote_user [$time_local] ' ##Add the proxy_protocol_addr variable to log_format in the http{} module. The client IP address is preserved in the proxy in the proxy_protocol_addr variable. 
                                '"$request" $status $body_bytes_sent '
                                '"$http_referer" "$http_user_agent"';
        }
        #...
        stream {
            #...
            log_format basic '$proxy_protocol_addr - [$time_local] '                 ##Add the proxy_protocol_addr variable to log_format in the stream{} module. The client IP address is preserved in the proxy_protocol_addr variable. 
                              '$protocol $status $bytes_sent $bytes_received '
                              '$session_time';
        }
                        
      2. Run the following command to query the flow log and obtain the client IP address:

    The following code block is a complete example on how to use Proxy Protocol to preserve client IP addresses:

    worker_processes  4;
    events {
        worker_connections  1024;
    }
    
    http {
        include       mime.types;
        default_type  application/octet-stream;
        log_format  main  '$proxy_protocol_addr $remote_addr - $remote_user [$time_local] "$request" '##Add the proxy_protocol_addr variable to log_format in the http{} module. The client IP address is preserved in the proxy_protocol_addr variable. 
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        sendfile        on;
        keepalive_timeout  65;
    
        upstream backend {
            server 192.XX.XX.36:8080;
            server 192.XX.XX.37:8080;
            keepalive 2000;
        }
    
        server {
            listen       80 proxy_protocol;                          ## Accept and parse the Proxy Protocol header on port 80. 
            server_name  example.com;
    
            proxy_set_header X-Real-IP       $proxy_protocol_addr;   ## Preserve the client IP address in the HTTP header field before the request is sent to a backend server. 
            proxy_set_header X-Forwarded-For $proxy_protocol_addr;   
    
            access_log  /var/log/nginx/access.log  main;
    
            location / {
                proxy_pass http://backend;
                proxy_http_version 1.1;
                proxy_set_header Connection "";
            }
        }
    }
    
    stream {
        log_format tcp_basic '$proxy_protocol_addr - [$time_local] '  ##Add the proxy_protocol_addr variable to log_format in the stream{} module. The client IP address is preserved in the proxy_protocol_addr variable. 
                          '$protocol $status $bytes_sent $bytes_received '
                          '$session_time';
        upstream stream_backend {
            server 192.XX.XX.36:2003;
            server 192.XX.XX.37:2003;
        }
    
        server {
            listen 1234 proxy_protocol;                               ## Accept and parse the Proxy Protocol header on port 1234. 
            access_log  /var/log/nginx/access_tcp.log  tcp_basic;   
            proxy_pass stream_backend;
        }
    }

    Query the flow log. The first IP address in the flow log is the IP address of the client.

    保持源IP-查看日志

References