Java獲取客戶端使用者真實IP地址
在JSP裡,獲取客戶端的IP地址的方法是:request.getRemoteAddr(),這種方法在大部分情況下都是有效的。但是在通過了Apache,Squid,nginx等反向代理軟體就不能獲取到客戶端的真實IP地址了。
如果使用了反向代理軟體,將http://192.168.1.110:2046/ 的URL反向代理為 http://www.javapeixun.com.cn / 的URL時,用request.getRemoteAddr()方法獲取的IP地址是:127.0.0.1 或 192.168.1.110,而並不是客戶端的真實IP。
經過代理以後,由於在客戶端和服務之間增加了中間層,因此伺服器無法直接拿到客戶端的IP,伺服器端應用也無法直接通過轉發請求的地址返回給客戶端。但是在轉發請求的HTTP頭資訊中,增加了X-FORWARDED-FOR資訊。用以跟蹤原有的客戶端IP地址和原來客戶端請求的伺服器地址。當我們訪問http://www.javapeixun.com.cn /index.jsp/ 時,其實並不是我們瀏覽器真正訪問到了伺服器上的index.jsp檔案,而是先由代理伺服器去訪問http://192.168.1.110:2046/index.jsp ,代理伺服器再將訪問到的結果返回給我們的瀏覽器,因為是代理伺服器去訪問index.jsp的,所以index.jsp中通過request.getRemoteAddr()的方法獲取的IP實際上是代理伺服器的地址,並不是客戶端的IP地址。
於是可得出獲得客戶端真實IP地址的方法一:
public String getRemortIP(HttpServletRequest request) {
if (request.getHeader("x-forwarded-for") == null) {
return request.getRemoteAddr();
}
return request.getHeader("x-forwarded-for");
}可是當我訪問http://www.5a520.cn /index.jsp/ 時,返回的IP地址始終是unknown,也並不是如上所示的127.0.0.1 或 192.168.1.110了,而我訪問http://192.168.1.110:2046/index.jsp 時,則能返回客戶端的真實IP地址,寫了個方法去驗證。原因出在了Squid上。squid.conf 的配製檔案 forwarded_for 項預設是為on,如果 forwarded_for 設成了 off 則:X-Forwarded-For: unknown
於是可得出獲得客戶端真實IP地址的方法二:
import javax.servlet.http.HttpServletRequest; /** * 自定義訪問物件工具類 * * 獲取物件的IP地址等資訊 * @author X-rapido * */ public class CusAccessObjectUtil { /** * 獲取使用者真實IP地址,不使用request.getRemoteAddr();的原因是有可能使用者使用了代理軟體方式避免真實IP地址, * 參考文章: http://developer.51cto.com/art/201111/305181.htm * * 可是,如果通過了多級反向代理的話,X-Forwarded-For的值並不止一個,而是一串IP值,究竟哪個才是真正的使用者端的真實IP呢? * 答案是取X-Forwarded-For中第一個非unknown的有效IP字串。 * * 如:X-Forwarded-For:192.168.1.110, 192.168.1.120, 192.168.1.130, * 192.168.1.100 * * 使用者真實IP為: 192.168.1.110 * * @param request * @return */ public static String getIpAddress(HttpServletRequest request) { String ip = request.getHeader("x-forwarded-for"); if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("WL-Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("HTTP_CLIENT_IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("HTTP_X_FORWARDED_FOR"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getRemoteAddr(); } return ip; } }
可是,如果通過了多級反向代理的話,X-Forwarded-For的值並不止一個,而是一串Ip值,究竟哪個才是真正的使用者端的真實IP呢?
答案是取X-Forwarded-For中第一個非unknown的有效IP字串。
如:X-Forwarded-For:192.168.1.110, 192.168.1.120, 192.168.1.130, 192.168.1.100使用者真實IP為: 192.168.1.110
除了上面的簡單獲取IP之外,一般的公司還會進行內網外網判斷,完整示例如下
import javax.servlet.http.HttpServletRequest;
/**
* IP地址工具類
* @author xudongdong
*
*/
public class IpUtil {
/**
* 私有化構造器
*/
private IpUtil() {
}
/**
* 獲取真實IP地址
* <p>使用getRealIP代替該方法</p>
* @param request req
* @return ip
*/
@Deprecated
public static String getClinetIpByReq(HttpServletRequest request) {
// 獲取客戶端ip地址
String clientIp = request.getHeader("x-forwarded-for");
if (clientIp == null || clientIp.length() == 0 || "unknown".equalsIgnoreCase(clientIp)) {
clientIp = request.getHeader("Proxy-Client-IP");
}
if (clientIp == null || clientIp.length() == 0 || "unknown".equalsIgnoreCase(clientIp)) {
clientIp = request.getHeader("WL-Proxy-Client-IP");
}
if (clientIp == null || clientIp.length() == 0 || "unknown".equalsIgnoreCase(clientIp)) {
clientIp = request.getRemoteAddr();
}
/*
* 對於獲取到多ip的情況下,找到公網ip.
*/
String sIP = null;
if (clientIp != null && !clientIp.contains("unknown") && clientIp.indexOf(",") > 0) {
String[] ipsz = clientIp.split(",");
for (String anIpsz : ipsz) {
if (!isInnerIP(anIpsz.trim())) {
sIP = anIpsz.trim();
break;
}
}
/*
* 如果多ip都是內網ip,則取第一個ip.
*/
if (null == sIP) {
sIP = ipsz[0].trim();
}
clientIp = sIP;
}
if (clientIp != null && clientIp.contains("unknown")){
clientIp =clientIp.replaceAll("unknown,", "");
clientIp = clientIp.trim();
}
if ("".equals(clientIp) || null == clientIp){
clientIp = "127.0.0.1";
}
return clientIp;
}
/**
* 判斷IP是否是內網地址
* @param ipAddress ip地址
* @return 是否是內網地址
*/
public static boolean isInnerIP(String ipAddress) {
boolean isInnerIp;
long ipNum = getIpNum(ipAddress);
/**
私有IP:A類 10.0.0.0-10.255.255.255
B類 172.16.0.0-172.31.255.255
C類 192.168.0.0-192.168.255.255
當然,還有127這個網段是環回地址
**/
long aBegin = getIpNum("10.0.0.0");
long aEnd = getIpNum("10.255.255.255");
long bBegin = getIpNum("172.16.0.0");
long bEnd = getIpNum("172.31.255.255");
long cBegin = getIpNum("192.168.0.0");
long cEnd = getIpNum("192.168.255.255");
isInnerIp = isInner(ipNum, aBegin, aEnd) || isInner(ipNum, bBegin, bEnd) || isInner(ipNum, cBegin, cEnd)
|| ipAddress.equals("127.0.0.1");
return isInnerIp;
}
private static long getIpNum(String ipAddress) {
String[] ip = ipAddress.split("\\.");
long a = Integer.parseInt(ip[0]);
long b = Integer.parseInt(ip[1]);
long c = Integer.parseInt(ip[2]);
long d = Integer.parseInt(ip[3]);
return a * 256 * 256 * 256 + b * 256 * 256 + c * 256 + d;
}
private static boolean isInner(long userIp, long begin, long end) {
return (userIp >= begin) && (userIp <= end);
}
public static String getRealIP(HttpServletRequest request){
// 獲取客戶端ip地址
String clientIp = request.getHeader("x-forwarded-for");
if (clientIp == null || clientIp.length() == 0 || "unknown".equalsIgnoreCase(clientIp)) {
clientIp = request.getRemoteAddr();
}
String[] clientIps = clientIp.split(",");
if(clientIps.length <= 1) return clientIp.trim();
// 判斷是否來自CDN
if(isComefromCDN(request)){
if(clientIps.length>=2) return clientIps[clientIps.length-2].trim();
}
return clientIps[clientIps.length-1].trim();
}
private static boolean isComefromCDN(HttpServletRequest request) {
String host = request.getHeader("host");
return host.contains("www.189.cn") ||host.contains("shouji.189.cn") || host.contains(
"image2.chinatelecom-ec.com") || host.contains(
"image1.chinatelecom-ec.com");
}
}