![](/style/images/good.png)
![](/style/images/bad.png)
Get Client IP When Your ASP.NET Core App is behind Reversed Proxy on Azure App S...
source link: https://edi.wang/post/2022/12/9/get-client-ip-when-your-aspnet-core-app-is-behind-reversed-proxy-on-azure-app-service
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Problem
I have a web app with a web front end and API backend both deployed to Azure App Service. I reversed proxy the API using this method I described before, so that my web front end can access API without having CORS issue, and the end users won't need to access my API address directly. However, for the API code, the client IP address I got is always Azure app service's outbound IP instead of real client IP. Let's see how to fix this problem.
Solution
Just like with any reverse proxy, ASP.NET Core already have built in support for respecting "X-Forwarded-For" HTTP header.
Typically, we will add this in DI
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});
And use in Middleware
app.UseForwardedHeaders();
However, this is not enough on Azure. We also need to manually add all the possible proxy IP addresses to the ForwardedHeadersOptions
.
Get your App Service's outbound IP addresses
In my case, I call API from Web server. So, I go to the "Networking" blade in the web app's instance and copy all Outbound addresses to clipboard.
![img-e509889b-8aa8-4460-9124-042b604c0b60.png](https://ediwang.cdn.moonglade.blog/ediwang-images/img-e509889b-8aa8-4460-9124-042b604c0b60.png)
Set known proxies
I don't like hard code IP addresses in code. So I go to appsettings.json file and add a new section named "AzureKnownProxies" with the IP I copied before.
"AzureKnownProxies": [
"52.163.244.128",
"13.75.34.175",
"168.63.220.81",
"207.46.136.220",
"168.63.210.90",
"23.101.15.21",
"23.101.7.253",
"207.46.136.152",
"65.52.180.140",
"23.101.13.231",
"23.101.3.51"
],
Then, modify DI code for adding forwarded headers to this
var knownProxies = builder.Configuration.GetSection("AzureKnownProxies").Get<string[]>();
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
options.ForwardLimit = null;
options.KnownProxies.Clear();
if (knownProxies != null)
{
foreach (var ip in knownProxies)
{
options.KnownProxies.Add(IPAddress.Parse(ip));
}
}
});
Now, we can successfully get real client IP address!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK