javaweb获取客户端ip

public class WebUtil {
    /**
     * Headers about client's IP
     */
    private static final String[] HEADERS_ABOUT_CLIENT_IP = {
            "X-Forwarded-For",
            "Proxy-Client-IP",//Apache（Weblogic Plug-In Enable）+WebLogic 搭配
            "WL-Proxy-Client-IP",//Apache（Weblogic Plug-In Enable）+WebLogic 搭配
            "HTTP_X_FORWARDED_FOR",
            "HTTP_X_FORWARDED",
            "HTTP_X_CLUSTER_CLIENT_IP",
            "HTTP_CLIENT_IP",//ng配置 proxy_set_header HTTP_CLIENT_IP $remote_addr; 才有用
            "HTTP_FORWARDED_FOR",
            "HTTP_FORWARDED",
            "HTTP_VIA",
            "REMOTE_ADDR"
    };

    public static String getClientIpAddr(HttpServletRequest request) {
        for (String header : HEADERS_ABOUT_CLIENT_IP) {
            String ip = request.getHeader(header);
            if (ip != null && ip.length() != 0 && !"unknown".equalsIgnoreCase(ip)){
                //return ip;
              //X-Forwarded-For: client1, proxy1, proxy2
                String[] ips = ip.split(",");
                return ips[0];
            }
        }
        return request.getRemoteAddr();
    }
}

REMOTE_ADDR

若是没有任何代理，REMOTE_ADDR为客户端ip，若是有代理则为代理机器ip。

x_forwarded_for

为了不上述状况，代理服务器会增长一个x_forwarded_for头信息。

X-Forwarded-For: client1, proxy1, proxy2

能够看出，XFF 头信息能够有多个，中间用逗号分隔，第一项为真实的客户端ip，剩下的就是曾经通过的代理或负载均衡服务器的ip地址。

HAProxy增长一下配置：option forwardfor

配置option forwardfor except 10.1.10.0/24 能够针对内网请求不设置x_forwarded_for。

Nginx代理规则增长：proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

nginx realip模块保证REMOTE_ADDR中就是客户端的真实ip。

电商课题：客户端的IP地址伪造、CDN、反向代理、获取的那些事儿