5

I have an app engine application that runs REST web services. I want to extract the ip address from all requests that are handled by my web services.

from javax.servlet.http.HttpServletRequest i'm trying to extract the ip address checking the "X-Real-IP" , if empty or "unknown" check the first ip in the list of "X-Forwarded-For" header if empty or "unknown" get it from request.getRemoteAddr().

I thought i covered all the cases but i'm still getting ip addresses like 10.x.x.x, or 127.0.0.1 or unknown.

I know that app engine applications are running behind load balancers, and instances are dynamic and i'm certainly omitting a header in the request cuz i can see the original ip address in the logs (from google) .

Edit : all the requests i'm working on are direct request to service (no queue or cron requests).

Any idea of the other headers to check ?

thx .

Akli REGUIG
  • 552
  • 4
  • 13

1 Answers1

2

The answeres of this Question might help you. There are a lot of headers to check for:

private static final String[] HEADERS_TO_TRY = { 
    "X-Forwarded-For",
    "Proxy-Client-IP",
    "WL-Proxy-Client-IP",
    "HTTP_X_FORWARDED_FOR",
    "HTTP_X_FORWARDED",
    "HTTP_X_CLUSTER_CLIENT_IP",
    "HTTP_CLIENT_IP",
    "HTTP_FORWARDED_FOR",
    "HTTP_FORWARDED",
    "HTTP_VIA",
    "REMOTE_ADDR" };
Lukas
  • 434
  • 3
  • 14
  • Thank you for answering. i will log all these headers with and without the `HTTP_` in production in the next app release and will check where the real client ip address is stored. In addition to the linked answer i may add to check `ipAddress.startsWith("192.") || ipAddress.startsWith("192")` to avoid local network ip addresses. I'm pretty sure that my mistake is that i'm checking `X-Real-IP` and `X-Real-IP` before `request.getRemoteAddr()`. i'll accept the answer if i find out it's linked to this. – Akli REGUIG May 26 '15 at 08:55