cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Extracting client IP address

paulo_morgado
Participant

I'm trying to extract IP addresses for HTTP requests with the X-Forwarded-For HTTP header. How should I do it?

The documentation is very vague (to say the least). I couldn't figure out if I should set it as an Header regex or an Header tag.

 I've set this header regex, but I don't think it's doing anything with it:

%0d%0aX-Forwarded-For:%20\([^%0d%0a,]*\)

 

12 REPLIES 12

adam_piotrowicz
Dynatrace Pro
Dynatrace Pro

Paulo,

If X-Forwarded-For HTTP field contains just IP address it's recommended to use Header tag as it introduce less load to the AMD than using other options. Also it's recommended to do it within particular Software Service than globally:

paulo_morgado
Participant

Thanks, Adam.

It's kind of what I gathered from HTTP Configuration Options for Selected User-Defined Software Services. But the example doesn't seem to match the explanation.

And what if there's more than one X-Forwarded-For HTTP header or the value is a comma separated list of IP addresses?

If the value is not single IP address then using regex is the best way. By surrounding with round brackets part that contains desired IP and "covering" the rest with a regex it should be possible.

The case when we have two X-Forwarded-For field in HTTP header is rather not expected and we should first test it out before saying anything.

Do you have any example capture we can take a look at?

I haven't seen any request with multiple X-Forwarded-For HTTP headers (yet), but my colleague in charge of the proxies says that some misbehaved proxies might add extra  X-Forwarded-For HTTP headers instead of adding to an existing one.

What I've seen, is something like this:

GET ... HTTP/1.0
Accept: application/javascript, */*;q=0.8
Referer: ...
Accept-Language: pt-PT
User-Agent: ...
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 05 Mar 2013 18:39:42 GMT; length=13942
Cookie: ...
Host: ...
Via: 1.1 localhost (squid/3.1.6), 1.1 e1-escc:3131 (squid/2.7.STABLE9)
X-Forwarded-For: 10.253.122.38, 10.253.120.99
Cache-Control: max-age=0
Connection: keep-alive

So far, I've tried this header regex: %0d%0aX-Forwarded-For:%20\([^%0d%0a,]*\)

But I don't think it's working.

What am I doing wrong?

Let me know your version so we can test our best answer:

X-Forwarded-For: [^,]*, \(.*\)

to make sure it works well.

12.1.2

Your regex get's the first IP from a list of IPs. It doesn't account for when the  X-Forwarded-For only has one IP address.

Thank you for the version - I will test it and let you know.

Verified on 12.1.2.

Regardless number of IPs, if you want to retrieve the last one, use:

X-Forwarded-For:.*([.0-9]*$).\n.*

In case you want to report the first one, use:

X-Forwarded-For: ([.0-9]*)

Does that mean that this documentation is wrong in more than one way?

Paulo,

I understand you mean that example:

GET http://www.slow-server.com/login.jsp HTTP/1.1
Accept: */*
Referer: http://www.slow-server.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: www.slow-server.com
Connection: Keep-Alive
Cookie: FPB=061j8hura11q56cv; CRZY9=t=1;
REMOTE_ADDR: 10.1.0.2

does not mean the explanation:

The following regular expression extracts the address 10.1.0.2 from the REMOTE_ADDR field:
%0d%0aREMOTE_ADDR:%20\([^%0d%0a]*\)%0d%0a
The expression must contain a single sub-expression delimited by pairs of characters “\(” and “\)”. The expression in this example states that the search string should start at the beginning of a header line and end at the end of the line (note the use of % to denote the hex values of the carriage return and line feed characters). The line should start with the string “REMOTE_ADDR:”. The sub-expression to extract is a string of characters different than ASCII CR or LF, and it should occur after the space following “REMOTE_ADDR:”

Would you please help me understand in what way it's not matching?

Or maybe I misunderstood your question?

According to the documentation, it should be:

X-Forwarded-For:%20\([.0-9]*\)

You're right - the documentation is wrong about it. We will make sure it will be corrected.