Koa: How do I get the real ip?

Created on 19 Nov 2015 · 15Comments · Source: koajs/koa

I set app.proxy = true but sometimes I still get someone with ctx.ip = "127.0.0.x"

Source

thelinuxlich

Most helpful comment

in nginx:
location / {
proxy_pass http://test; proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

in node koa:
app.proxy = true;
ip = ctx.ip;

runhwguo on 2 Sep 2017

👍28

All 15 comments

sometimes or always?

2015-11-19 11:38 GMT+08:00 Alisson Cavalcante Agiani <
[email protected]>:

I set app.proxy = true but sometimes I still get someone with ctx.ip =
"127.0.0.x"

—
Reply to this email directly or view it on GitHub
https://github.com/koajs/koa/issues/599.

alsotang on 19 Nov 2015

always when someone is behind a NAT

thelinuxlich on 19 Nov 2015

this is what https://github.com/jshttp/proxy-addr is for, which i haven't had to implement. PR would be welcomed. https://github.com/koajs/koa/issues/281

jonathanong on 19 Nov 2015

So getting the last ip of ctx.ips is not enough?

thelinuxlich on 19 Nov 2015

This seems to be working for returning the real ip:

const current_ip = ctx.ips.length > 0 ? ctx.ips[ctx.ips.length - 1] : ctx.ip;

thelinuxlich on 19 Nov 2015

the client's ip should be first, check out https://en.wikipedia.org/wiki/X-Forwarded-For

tj on 19 Nov 2015

I know, I want the last ip because it is returning LAN ips

thelinuxlich on 19 Nov 2015

There's a problem using koa over nginx server, when I force X-Forwarded-For in the request.

An X-Forwarded-For header requested by client overwrites this.request.ip. This is a critical security issue.

Found the problem in line 381 of koa/lib/request.js
https://github.com/koajs/koa/blob/master/lib/request.js#L381

It's better use X-Real-IP over X-Forwarded-For.

jgdev on 27 Feb 2016

real_ip_header X-Forwarded-For? supporting two sounds wonky to me, why not use the more common one? As far as security goes that's what app.proxy = true is for, if you don't trust the fields then app.proxy = false

tj on 27 Feb 2016

👍2

Thats because NginX appends external request's X-Forwarded-For value to final header but clears external X-Real-IP header and gets it right with far end's value.

jgdev on 27 Feb 2016

hmm yea I suppose it depends how nginx is configured, though if you have X-Real-IP you might as well just clobber X-Forwarded-For to ensure it's correct and not spoofed

tj on 27 Feb 2016

If your koa app behind a nginx, you must add 'proxy_set_header X-Forwarded-For $remote_addr' to the nginx proxy conf.

fengmk2 on 28 Feb 2016

👍11 🎉2

I just found that you can spoof an IP address on the standard configuration of nginx. And I happen to whitelist payment servers on my webhook by an IP address.
I agree with @jgdev, this is a critical security issue and should be fixed.

pepkin88 on 12 Aug 2016

👍1

in node koa:
app.proxy = true;
ip = ctx.ip;

runhwguo on 2 Sep 2017

👍28

in nginx:
location / {
proxy_pass http://test; proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

in node koa:
app.proxy = true;
ip = ctx.ip;

for me this worked plus