question: How to get the real Client IP in APISIX

[tzssangglass]

This feature relies on the Real IP module of Nginx, which is covered in the APISIX-OpenResty script.

There are 3 directives in the Real IP module

• set_real_ip_from
• real_ip_header
• real_ip_recursive

The following describes how to use these three directives in the specific scenario.

1. Client -> APISIX -> Upstream

When the Client connects directly to APISIX, no special configuration is needed, APISIX can automatically get the real Client IP.

2. Client -> Nginx -> APISIX -> Upstream

When using Nginx as a reverse proxy between APISIX and a Client, if you do not configure APISIX for Real IP, the Client IP that APISIX gets is the IP of Nginx, not the real Client IP.

To fix this problem, Nginx needs to pass the Client IP, for example:

location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass   http://$APISIX_IP:port;
}

The proxy_set_header directive sets the $remote_addr variable in the X-Real-IP header of the current request (the $remote_addr variable gets the real Client IP) and passes it to APISIX. The $APISIX_IP means the APISIX IP in real environment.

Configure in config.yaml of APISIX, for example:

nginx_config:
  http:
    real_ip_from:
      - $Nginx_IP

$Nginx_IP is the IP of Nginx in the real environment. This configuration transformed by APISIX to nginx.conf as

location /get {
    real_ip_header X-Real-IP;
    real_ip_recursive off;
    set_real_ip_from $Nginx_IP;
}

real_ip_from corresponds to set_real_ip_from in the Real IP module, real_ip_recursive and real_ip_header directives have default values in config-default.yaml.

real_ip_header X-Real-IP; means that the Client IP is in the X-Real-IP header, which matches the proxy_set_header X-Real-IP $remote_addr; in the Nginx configuration.

set_real_ip_from means that $Nginx_IP is the IP of the trusted server. APISIX excludes $Nginx_IP from the search for the real Client IP. Because for APISIX, this IP is a known trusted server IP and cannot be a Client IP. set_real_ip_from` can be configured in CIDR format, such as 0.0.0.0/24.

3. Client -> Nginx1 -> Nginx2 -> APISIX -> Upstream

When using multiple Nginx as a reverse proxy between APISIX and Client, configuration of Nginx1, for example:

location /get {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass   http://$Nginx2_IP:port;
}

configuration of Nginx2, for example:

location /get {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass   http://$APISIX_IP:port;
}

The configuration uses X-Forwarded-For, which is used to get the real proxy path. When X-Forwarded-For is enabled for a proxy service, the IP of the current proxy service will be appended to the end of the X-Forwarded-For of each request. The format is client, proxy1, proxy2, separated by commas.

So after the Nginx1 and Nginx2 proxies, APISIX gets "X-Forwarded-For" as a proxy path like "Client IP, $Nginx1_IP, $Nginx2_IP".

Configure in config.yaml of APISIX, for example:

nginx_config:
  http:
    real_ip_from:
      - $Nginx1_IP
      - $Nginx2_IP
    real_ip_header: "X-Forwarded-For"
    real_ip_recursive: "on"

The configuration of real_ip_from means that both $Nginx1_IP and $Nginx2_IP are IPs of trusted servers. How many proxy services there are between Client and APISIX, and the IPs of these proxy services need to be set in real_ip_from. This ensures that APISIX does not mistake IPs that appear in the search scope for Client IPs.

real_ip_header uses X-Forwarded-For and does not use the default value of config-default.yaml.

When real_ip_recursive is on, APISIX will search the value of X-Forwarded-For from right to left, exclude the IPs of the trusted servers, and use the first searched IP as the real Client IP.

When the request arrives at APISIX, the value of X-Forwarded-For is Client IP, $Nginx1_IP, $Nginx2_IP. Since both $Nginx1_IP and $Nginx2_IP are IPs of trusted servers, APISIX will continue to look to the left and find that Client IP is not the IP of any trusted servers, and determine that it is the real Client IP.

Finally, in other more complex scenarios, such as having a CDN, LB, etc. between APISIX and Client, it is necessary to understand how the Real IP module works and configure it accordingly in APISIX.

[moonming]

why we create issues like this?

[riskgod]

I met this problem too.

[riskgod]

why we create issues like this?

Please reopen this, because, in my case, We need to use ip-restriction, but the client IP is nginx IP but the real client IP.

[tzssangglass]

but the client IP is nginx IP but the real client IP.

I have tried several of these scenarios and they all work fine. If they are not correct, feel free to open a new issue with reproducible use cases.

[zuiyangqingzhou]

After I do the following configuration

nginx_config:
  http:
    real_ip_from:
      - $Nginx1_IP
      - $Nginx2_IP
    real_ip_header: "X-Forwarded-For"
    real_ip_recursive: "on"

Nginx variable $http_x_forwarded_for: 84.1.189.203, 23.44.5.76, $remote_addr: 23.44.5.76，However, 23.44.5.76 is the IP of Akamai manufacturer.

How can I get this IP 84.1.189.203? It is impossible for me to add all the Akamai manufacturer' IP addresses to the real_ip_from module

@tzssangglass @spacewander

[tzssangglass]

It is impossible for me to add all the Akamai manufacturer' IP addresses to the real_ip_from module

1. Cover all Akamai manufacturer' IPs in real_ip_from by using CIDR, see http://nginx.org/en/docs/http/ngx_http_realip_module.html

2. See if the Akamai manufacturer supports providing the original visitor IP in a special header, Just like CloudFlare provides CF-Connecting-IP header, see https://support.cloudflare.com/hc/en-us/articles/200170986

[zuiyangqingzhou]

Thank you very much @tzssangglass I found that Akamai has similar support through the True-Client-IP header

https://www.citrix.com/content/dam/citrix/en_us/citrix-developer/documents/Netscaler/irules/akamai-true-client-ip-header-persistence.pdf

[aikin-vip]

I use aliyun clb and config it by aliyun help link: https://www.alibabacloud.com/help/zh/doc-detail/54007.htm

but i cant't get client ip

this is one of k8s node ip ! Is there anything I missed?

[aikin-vip]

i have tried, but still did't work .
i find a way to change apisix-gatway service externalTrafficPolicy: cluster to local. it works.
I wonder if this is the only way？Is there any way not to change the externalTrafficPolicy to get real ip？

thanks

[tzssangglass]

I'm not sure about this, it's the k8s network. @tokers what do you think?

[tokers]

Basically, Kubernetes executes the SNAT1 between the packets are routed from a worker node to another. In such a case, proper setting of HTTP Header to pass the real client IP is essential.

[aikin-vip]

@tzssangglass @tokers
The reason why I don't want to change the cluster is that there are some load balancing problems in the local area. However, I saw in the Alibaba cloud ack document that this problem does not seem to exist.
https://help.aliyun.com/document_detail/203174.htm?spm=a2c4g.11186623.0.0.78219002THZyri#title-s0d-4ve-s83
We used Alibaba cloud ACK, so the problem should be solved. Thank you for your help

[tokers]

You're welcome. I think this problem is generic and it's worth recording it into FAQ.

[hueifeng]

Apache / Apisix: 2.10.0-alpine, Tencent Cloud CLB, I want to get Real IP, but it is Local IP.

[tzssangglass]

see: https://intl.cloud.tencent.com/zh/document/product/214/3728#nginx-.E9.85.8D.E7.BD.AE.E6.96.B9.E6.A1.88

set_real_ip_from IP地址;（这个IP地址首先不是负载均衡提供的公网IP，具体IP多少可以查看之前nginx日志，如果有多个都要写上。）
real_ip_header X-Forwarded-For;

If you understand the case above, you should know what to do.

[hueifeng]

@tzssangglass After modification, it now looks correct, but I still can't get the real IP.

PS: obtain the IP address in the nginx log

172.21.16.5 - - [17/Nov/2021:04:58:40 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

192.168.0.1 - - [17/Nov/2021:04:58:41 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

192.168.0.1 - - [17/Nov/2021:04:58:41 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

172.21.16.5 - - [17/Nov/2021:04:58:42 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.000 "http://xxx.xxx.xxx.xxx/api/getip"

172.21.16.5 - - [17/Nov/2021:04:58:43 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

172.21.16.5 - - [17/Nov/2021:04:58:54 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

192.168.0.1 - - [17/Nov/2021:04:58:55 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

192.168.0.1 - - [17/Nov/2021:04:58:57 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.000 "http://xxx.xxx.xxx.xxx/api/getip"

172.21.16.5 - - [17/Nov/2021:04:58:58 +0000] xxx.xxx.xxx.xxx "GET /api/v1/notification/mine?pageSize=3&pageIndex=0&readed=1 HTTP/1.1" 401 0 0.003 "http://xxx.xxx.xxx.xxx/project/projectlist" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.4.43:80 401 0.002 "http://xxx.xxx.xxx.xxx"

172.21.16.5 - - [17/Nov/2021:04:59:02 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.000 "http://xxx.xxx.xxx.xxx/api/getip"

192.168.0.1 - - [17/Nov/2021:04:59:06 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

172.21.16.5 - - [17/Nov/2021:04:59:09 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.001 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

172.21.16.5 - - [17/Nov/2021:04:59:43 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

172.21.16.5 - - [17/Nov/2021:05:01:53 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

192.168.0.1 - - [17/Nov/2021:05:02:27 +0000] xxx.xxx.xxx.xxx "GET /apitest/api/getip HTTP/1.1" 200 103 0.002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 192.168.6.251:80 200 0.001 "http://xxx.xxx.xxx.xxx/api/getip"

[hueifeng]

externalTrafficPolicy: Cluster Changed to：externalTrafficPolicy: Local

[ccbutcc]

My access process is like this Client -> Nginx -> APISIX -> Upstream
How to configure Nginx as a layer 4 proxy and pass the client IP to Apisix? The nginx written here is all used as a layer 7 proxy for http, but there is no case where nginx is used as a tcp proxy.

[jialechan]

kind: Service
...
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: "your-nlb-id"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "tcpssl:444"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "your-cert-id"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-proxy-protocol: "on"
spec:
  ports:
    - name: apisix-gateway
      protocol: TCP
      port: 443
      targetPort: 9181
...
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer
  externalTrafficPolicy: Local

kind: ConfigMap
...
data:
  config.yaml: >-
    apisix:
      proxy_protocol:                 
        listen_http_port: 9181
    nginx_config:
      http:
        real_ip_header: proxy_protocol
        real_ip_from:
          - 127.0.0.1
          - "unix:"
          - 172.20.0.0/16 # your private subnet CIDR            

nlb(TCPSSL) + apisix + upstream,

[flylan]

As far as I know, your current architecture is a multi-layer gateway proxy, which is also a method adopted by many companies. You need to place the user's IP on the outermost gateway proxy and pass it on to each gateway with an independent name, such as X-Real-IP?