How do I get the real ip?

[thelinuxlich]

I set app.proxy = true but sometimes I still get someone with ctx.ip = "127.0.0.x"

[alsotang]

sometimes or always?

2015-11-19 11:38 GMT+08:00 Alisson Cavalcante Agiani <
[email protected]>:

I set app.proxy = true but sometimes I still get someone with ctx.ip =
"127.0.0.x"

—
Reply to this email directly or view it on GitHub
#599.

[thelinuxlich]

always when someone is behind a NAT

[jonathanong]

this is what https://github.com/jshttp/proxy-addr is for, which i haven't had to implement. PR would be welcomed. #281

[thelinuxlich]

So getting the last ip of ctx.ips is not enough?

[thelinuxlich]

This seems to be working for returning the real ip:

const current_ip = ctx.ips.length > 0 ? ctx.ips[ctx.ips.length - 1] : ctx.ip;

[tj]

the client's ip should be first, check out https://en.wikipedia.org/wiki/X-Forwarded-For

[thelinuxlich]

I know, I want the last ip because it is returning LAN ips

[jgdev]

There's a problem using koa over nginx server, when I force X-Forwarded-For in the request.

An X-Forwarded-For header requested by client overwrites this.request.ip. This is a critical security issue.

Found the problem in line 381 of koa/lib/request.js
https://github.com/koajs/koa/blob/master/lib/request.js#L381

It's better use X-Real-IP over X-Forwarded-For.

[tj]

real_ip_header X-Forwarded-For? supporting two sounds wonky to me, why not use the more common one? As far as security goes that's what app.proxy = true is for, if you don't trust the fields then app.proxy = false

[jgdev]

Thats because NginX appends external request's X-Forwarded-For value to final header but clears external X-Real-IP header and gets it right with far end's value.

[tj]

hmm yea I suppose it depends how nginx is configured, though if you have X-Real-IP you might as well just clobber X-Forwarded-For to ensure it's correct and not spoofed

[fengmk2]

If your koa app behind a nginx, you must add 'proxy_set_header X-Forwarded-For $remote_addr' to the nginx proxy conf.

[pepkin88]

I just found that you can spoof an IP address on the standard configuration of nginx. And I happen to whitelist payment servers on my webhook by an IP address.
I agree with @jgdev, this is a critical security issue and should be fixed.

[runhwguo]

in nginx:
location / {
proxy_pass http://test; proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

in node koa:
app.proxy = true;
ip = ctx.ip;

[ProMasoud]

in nginx:
location / {
proxy_pass http://test; proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

in node koa:
app.proxy = true;
ip = ctx.ip;

for me this worked plus

ip = ctx.request.ip;

[gherciu]

I had the same problem but resolved it by using this module found on NPM request-ip

in koa it can be simply used userIp = requestIp.getClientIp(ctx.request)

The user ip is determined by the following order:

X-Client-IP
X-Forwarded-For (Header may return multiple IP addresses in the format: "client IP, proxy 1 IP, proxy 2 IP", so we take the the first one.)
CF-Connecting-IP (Cloudflare)
Fastly-Client-Ip (Fastly CDN and Firebase hosting header when forwared to a cloud function)
True-Client-Ip (Akamai and Cloudflare)
X-Real-IP (Nginx proxy/FastCGI)
X-Cluster-Client-IP (Rackspace LB, Riverbed Stingray)
X-Forwarded, Forwarded-For and Forwarded (Variations of #2)
req.connection.remoteAddress
req.socket.remoteAddress
req.connection.socket.remoteAddress
req.info.remoteAddress

If an IP address cannot be found, it will return null.