Monday 30 September 2013

Get user's IP address in load balancing environment in ASP.NET

Leave a Comment
One of our requirement is to get user's IP address in load balancing environment. Production servers are setup in load balancing environment (also known as Web Farm environment).
I've tried following Request Server Variables to get visitor's IP address
Response.Write("  HTTP_X_COMING_FROM" + Request.ServerVariables["HTTP_X_COMING_FROM"]);

Response.Write(" || HTTP_X_FORWARDED_FOR" + Request.ServerVariables["HTTP_X_FORWARDED_FOR"]);

Response.Write(" || HTTP_X_FORWARDED" + Request.ServerVariables["HTTP_X_FORWARDED"]);

Response.Write(" || HTTP_VIA" + Request.ServerVariables["HTTP_VIA"]);

Response.Write(" || HTTP_COMING_FROM" + Request.ServerVariables["HTTP_COMING_FROM"]);

Response.Write(" || HTTP_FORWARDED_FOR" + Request.ServerVariables["HTTP_FORWARDED_FOR"]);

Response.Write(" || HTTP_FORWARDED" + Request.ServerVariables["HTTP_FORWARDED"]);

Response.Write(" || HTTP_FROM " + Request.ServerVariables["HTTP_FROM"]);

Response.Write(" || HTTP_PROXY_CONNECTION" + Request.ServerVariables["HTTP_PROXY_CONNECTION"]);

Response.Write(" || CLIENT_IP" + Request.ServerVariables["CLIENT_IP"]);

Response.Write(" || FORWARDED " + Request.ServerVariables["FORWARDED"]);

Response.Write(" || REMOTE_ADDR " + Request.ServerVariables["REMOTE_ADDR"]);

Response.Write(" || HTTP_CLIENT_IP" + Request.ServerVariables["HTTP_CLIENT_IP"]);

Response.Write(" || X-Forwarded-For " + Request.ServerVariables["X-Forwarded-For"]);

Response.Write(" || X_FORWARDED_FOR " + Request.ServerVariables["X_FORWARDED_FOR"]);

Response.Write(" || REMOTE_HOST " + Request.ServerVariables["REMOTE_HOST"]);

Response.Write(" || HTTP_X_CLUSTER_CLIENT_IP " + Request.ServerVariables["HTTP_X_CLUSTER_CLIENT_IP"]);

Response.Write(" || User Host " + Request.UserHostAddress);
The main point to note is that load balancer is acting as a proxy. Based on Load Balancer setting HTTP_X_FORWARDED_FOR is returning visitor's IP address. REMOTE_HOST and REMOTE_ADDR are returning Load Balancer IP address.
By using HTTP_X_FORWARDED_FOR, I was able to get visitor's IP address but I got a small problem. Sometimes HTTP_X_FORWARDED_FOR is returning a comma delimited list of IP addresses!
For example:

HTTP_X_FORWARDED_FOR = "10.44.14.47, 82.132.237.233"
HTTP_X_FORWARDED_FOR = "10.16.36.14, 217.33.137.230, 95.131.110.106"
HTTP_X_FORWARDED_FOR = "192.168.10.47, 192.168.10.47, 127.0.0.1, 86.156.34.80"

Reason is that request has passed through multiple proxies thus HTTP_X_FORWARDED_FOR contains multiple IP address.

The general format of the field is:
X-Forwarded-For: client, proxy1, proxy2 

Use below code to get IP address :
HttpContext.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] ?? "").Split(',').Last().Trim();
The FIRST IP may be the real client behind many proxies, but it can be fake and easily be spoofed through headers using various tool and plugins like Firefox Tamper Data. So the correct way is to get the LAST IP from the list of IPs, which is the most reliable IP that connected to our servers. Check Wikipedia link for good read.
Using IP address to identify unique visitors is not reliable way.

0 comments :

Post a Comment