Getting the Real IP Address from a Proxied Request in ATG

Home/ATG, Security/Getting the Real IP Address from a Proxied Request in ATG

Many things can obscure the real IP address of the end user when they visit your site: a load balancer in front of your ATG cluster, Akamai, the user’s ISP or office network, and more. This makes correlating logging events, or using the ATG session IP validation security option, and more, very difficult. In light of that challange I’ve added a new mini-module to my Open Source ATG Modules called the ProxyIPFixer. It uses a simple ATG pipeline Servlet to examine the X-FORWARDED-FOR request header, and if it finds one, parse through the IP addresses to find the originating IP address of the user, and puts that value into the ATG Request object’s remoteAddr property.

This allows downstream pipeline servlets, code, and pages to see the real user’s IP address.

The caveat is that the header can be faked, and that some ISPs/companies, such as AOL, do not set the true end point of the user, and you can only see back to their outgoing proxy server. In AOL’s case in particular, they can also route subsequent requests by the same AOL user through different AOL proxy points, which will make it appear that someone is hijacking a session (if you’re using the ATG session security mechanism). So be aware of the limitations. However it can be very useful.

For those who don’t want to download the whole module package, I have attached the Java source and the ATG properties file to this post.

Enjoy! (and as always feel free to contact me with questions, issues, improvements, etc…)

ProxyIPFixerServlet Java Source

ProxyIPFixer ATG Properties File

By | 2017-05-18T15:18:05+00:00 April 8th, 2008|ATG, Security|5 Comments

About the Author:

5 Comments

  1. keif April 9, 2008 at 8:49 pm - Reply

    I’m curious why you don’t enable social bookmarking/digging/etc. on your blog entries. I’m definitely bookmarking this.

  2. Devon April 9, 2008 at 9:07 pm - Reply

    Honestly, because I don’t use social bookmarking sites myself. Do you know of a WordPress plugin for that you’d recommend? I googled and found several, but would love a recommendation.

  3. links for 2008-04-10 | iKeif April 10, 2008 at 9:39 am - Reply

    […] stuff pulled off in Action Script)browser development dhtml interval javascript programming webdev Getting the Real IP Address from a Proxied Request in ATG | Devon Hillard Tech Blog 12 hours, 49 minutes agoDevon shows how to get the REAL IP address using ATGatg code java […]

  4. John December 4, 2008 at 9:50 pm - Reply

    When I test out your code on my webpage it works, but since I have a router your code displays the IP my router assigns to my computer, 192.168.1.100. Is there a way to display my real IP even when using a router?

    Also, is it asking too much for you to edit your Java code and recompile a class that automatically prints the IP to a text file instead of displaying it on the webpage? I am in the process of tracking down a scammer and need some Java code that records every IP address to a text file located on the server. Any help / suggestions would be greatly appreciated!

  5. Devon December 5, 2008 at 2:09 pm - Reply

    @John: if you’re being a router at home, it’s providing NAT (network address translation) so that all your computers at home only use a single real-world routable IP address. It’s not the same thing as a proxy, so the X-FORWARDED-FOR header will not be set by your router. There is no way to get your internal NATed IP address from a request to a server.

    My code doesn’t display the IP on a page, it modifies the IP address within the scope of an ATG servlet pipeline. You should be able to make it write to file pretty easily, but I don’t have the time right now to do that for you.

    If you’re using Apache it would probably be much simpler to just add the X-FORWARDED-FOR header to the Apache log format, similarly to this:

    %{X-Forwarded-For}i %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”

Leave A Comment