1

I Am trying to get the real IP of the client. since we are having multiple load balancing sever i count get the real IP address. in .net core 2.2 c#?

This is my application flow

Client => Load balancing server => API server => some Internal API server (IP needed here).

I want to get the IP address which is passed by client. Is it possible to get my client IP address even if I have multiple API server call? or if I got all server IP address, then I can get my client IP address by top 1'st record.

Note: The duplicated answers didn't help me.

Ramesh Rajendran
  • 37,412
  • 45
  • 153
  • 234
susee selvam
  • 11
  • 1
  • Yes, this is indeed a problem; you're going to have to hope that the load balancing server can set a header about the IP it's seeing (X-Forwarded-For for example) and that it will be truthful about it/is resistant to the end user manipulating it. – Caius Jard Aug 29 '19 at 11:24
  • How to get the IP and how to restrict the end user manipulation – susee selvam Sep 01 '19 at 17:04
  • Tha t all massively depends on the capabilities and configuration of the load balancing server or whatever else is proxying the request to you – Caius Jard Sep 01 '19 at 17:28
  • Yes. my request has been peroxided. – susee selvam Sep 02 '19 at 02:44
  • Then it's down to what IP the proxy saw and whether it set a header telling you what it saw, so you can read it – Caius Jard Sep 02 '19 at 07:36
  • The problem you get with x-forwarded-for is that proxies typically only add to it and thy don't check on the existing contents so you can actually find the client lied about it and all your proxy did was add to the lie. If you pick the wrong IP address out of it, you end up believing a lie. In my last place of work we used cloudflare ddos protection and it was a proxy that set the x-forwarded-for header on the request we saw, and also another header (I forget the name) with the same info. The problem we had was one of our developers wrote code based on x-forwarded-for which contained bad.. – Caius Jard Sep 02 '19 at 07:38
  • ..data from the client, when we should have used cloudflare's own header. It turned out possible to script injection attack our login emails because we just literally put the contents of the x-forwarded-for header into the "you last logged in from X" email, tut tut! – Caius Jard Sep 02 '19 at 07:41
  • @CaiusJard I have one doubt regarding this. Is it fine to pass IP address from client via model with encryption? – Ramesh Rajendran Sep 05 '19 at 12:40
  • I didn't really understand the question; are you asking if the client browser should tell the server what its own IP address is? It's possible to manipulate it, if so.. So don't make any decisions based on it – Caius Jard Sep 05 '19 at 13:34

0 Answers0