I'm trying to grab the requester's ip address on my heroku server, using remote-addr from the ring header, but I'm getting a "private IP address" (i.e., starts with 10). How do I get the public ip address?
It looks like I need to grab x-forwarded-for since I'm behind a load balancer. Only thing I'm not sure of is that from this: https://stackoverflow.com/questions/30018044/how-to-get-the-client-ip-address-in-ring-clojure it appears that sometimes, x-forwarded-for is a comma separated list. In such a case, is it valuable to retain the whole string of addresses (e.g., does that represent one computer within a lab that shares the same ip address?) or should I really just throw away everything after the first comma?
@puzzler x-forwarded-for
ends up being the list of IPs from the client (what you want) through the routers and load balancers etc to your server. We initially assumed we could use ring-proxy
and wrap-proxy-headers
to get the updated :remote-addr
but that pulls the last IP from the list -- which in our case was the F5 BigIP load balancer -- so we wrote our own two line middleware to pull the first IP from the list which is the client IP address (or whatever they've spoofed it to be... we don't care, we just want it for logging.
@seancorfield I'm mainly interested in determining unique users, and a lot of our users are going to be in schools, which I assume are usually behind some firewall with a single public Internet IP. So in that context, is the school's IP address going to show up as the leftmost address in the list, or the rightmost one? I was thinking the school's IP address would be the rightmost (last IP address before it hits the Internet), and the student's assigned IP within the school's local network is on the left (and not guaranteed to be unique from someone on a completely different local network). If my assumptions are correct, that would mean I need to capture the whole comma separated list to determine a unique user. Does that analysis seem correct, or flawed?
The addresses go from left to right, client to server.
The same client IP could go through different proxies at different times to get to you -- so you'd get a different set of IPs for the same client (user).
That said, some ISPs don't expose the actual client IP at all and only give you an IP for an edge proxy (AOL is a good example -- or was... can't remember if it still does).