系统相关
首页 > 系统相关> > Java防伪造ip,Nginx方法

Java防伪造ip,Nginx方法

作者:互联网

问题:

正常获取IP方法,此方式通过获取请求头的方式拿到IP

ip = request.getHeader("x-forwarded-for");

于是可以模拟在请求头添加x-forwarded-for,伪造ip发送请求,

结果Java获取到的ip为仿造后的:111.111.111.111

 

解决:配置nginx即可。

 

若项目没有使用nginx或其他代理,则只需修改代码。

String ip = request.getRemoteAddr();

public static String getIP(HttpServletRequest request) {
		// 获取真实Ip。未使用代理的情况下,若使用nginx,则获取到的是nginx的ip
		String ip = request.getRemoteAddr();

		// 若使用了nginx,则需要配置
//		proxy_set_header X-Real-IP $remote_addr;
//		proxy_set_header Host $host;
//		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

		// 获取nginx代理前的用户Ip
//		String ip = request.getHeader("X-Real-IP");
		if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
			ip = request.getHeader("Proxy-Client-IP");
		}
		if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
			ip = request.getHeader("WL-Proxy-Client-IP");
		}
		if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
			ip = request.getHeader("HTTP_CLIENT_IP");
		}
		if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
			ip = request.getHeader("HTTP_X_FORWARDED_FOR");
		}
		if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
			ip = request.getHeader("x-forwarded-for");
		}
		//对于通过多个代理的情况,第一个IP为客户端真实IP,多个IP按照','分割
		//"***.***.***.***".length() = 15
		if (ip != null && ip.length() > 15) {
			if (ip.indexOf(",") > 0) {
				ip = ip.substring(0, ip.indexOf(","));
			}
		}
		return ip;
	}

效果:经处理,获取的ip为真实的,公司的外网IP:182.***.***.***

后续可通过真实ip进行限流

 

标签:Java,IP,getHeader,request,Nginx,length,ip,null
来源: https://blog.csdn.net/SSS_HuLiang/article/details/117922755