"X_FORWARDED_FOR" Header Doesn't Present In The Request

Question

In my web application I need to extract the real ip address for clients behind proxy, after searching I found that the possible method to do that is to read the content of "X_FORWARDED_FOR" header, I am using java servlet and the headers of the incoming request doesn't contain "X_FORWARDED_FOR" header, So why the header doesn't included in the request?

I am using java 1.7, tomcat v7, proxy server:TMG and configured to use "X_FORWARDED_FOR" header.

Please advice.

Thanks in advance.

Update:

• The request come from jquery ajax request to servlet.

• My code to read available headers:

  String ip = request.getHeader("X-Forwarded-For"); //return null

   if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("Proxy-Client-IP"); //return null } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("WL-Proxy-Client-IP"); //return null } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("HTTP_CLIENT_IP"); //return null } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("HTTP_X_FORWARDED_FOR"); //return null } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getRemoteAddr(); //return proxy server IP }

Answer 1

X-Forwarded-For, as well as other headers you test, are custom (it is almost standard , but not quite). Proxy doesn't have to set any such header, so you'll have to test which header the proxy server will set, if any.

However, if it would be set, you'd test it with

request.getHeader("X-Forwarded-For");

HTTP_X_FORWARDED_FOR would be PHP naming, don't use that if you're not using PHP...

I would iterate all incoming headers and see if any header contains the ip. If none of them do, you're out of luck.

You can iterate all headers with

enames = request.getHeaderNames();
while (enames.hasMoreElements()) {
  String name = (String) enames.nextElement();
  String value = request.getHeader(name);
  // "name" and "value" variables contain the header + its value
}

Also note that for java apps, it is often that what gets passed to the servlet is an inner request, and you need to ask for outer request first to get an instance of httpservletrequest that has the headers.

Note also that even if you actually get an ip from that header, you should still think if that is usable information or not. some more details about it here .

Answer 2

This might work:

 public static String X_FORWARDED_FOR_HEADER = "X-Forwarded-For";

 public static boolean isNullOrEmpty(String val) 
  {
    if (val == null || val.length() == 0) 
    {
      return true;
    }
    return false;
  } 

 public static String getRemoteAddress(HttpServletRequest request) {
  String remoteAddr = request.getHeader(X_FORWARDED_FOR_HEADER);
  if (!isNullOrEmpty(remoteAddr)) {
      int pos = remoteAddr.indexOf(',');
      if (pos < 0) {
          return remoteAddr;
      }
      return remoteAddr.substring(0,pos); // if more then 1, take first one 
  }
  return request.getRemoteAddr();
  }