Obtaining Client Information via Application BLB Instance

Updated at：2025-10-16

Scenario introduction

Analyzing client information in the Load Balancer enables intelligent request allocation to enhance system performance, reliability, and user experience. It helps the Load Balancer choose the appropriate real server to process requests. For instance, routing decisions can be based on factors such as the client IP address, user session information, or geographic location to direct requests to the most suitable server, thus improving security. Implementing access controls based on client location or IP address can mitigate malicious activities or DDoS attacks. This document details how BLB's built-in features are used to analyze user data.

Basic principles

Because the BLB Layer 7 listener (http/https) rewrites the client source IP information during request forwarding, the real server receives the actual source IP from the BLB-reserved 100.64.0.0/16 segment address. The Layer 7 listener (http/https) of the Load Balancer supports writing the client's real IP into the X-Forwarded-For header and the listener protocol into the X-Forwarded-Proto header during forwarding. This enables the backend to log and analyze visiting client characteristics based on these header details.

This document will provide guidance on obtaining client information with a configuration example of Nginx server on CentOS BCC.

Preparation

You should first create an application BLB instance, configure a layer 7 listener (HTTP or HTTPS), and configure the corresponding server group or IP group on the listener. For details, see: Application BLB Guide

Configure server

Under the same VPC environment as the BLB instance, purchase BCC instance, and select the CentOS 7.6 image here. For details, see: Quick Configuration of Linux Baidu Cloud Compute
Add the BCC instance as a real server for the BLB instance. For details, see: Application BLB Guide
Associate the server group where this server is in with the listener and enable it
Sign in to the BCC instance and execute the following command lines to configure Nginx and http_realip_module yum -y install gcc pcre pcre-devel zlib zlib-devel openssl openssl-devel
wget http://nginx.org/download/nginx-1.17.0.tar.gz
tar zxvf nginx-1.17.0.tar.gz
cd nginx-1.17.0
./configure --prefix=/path/server/nginx --with-http\_stub\_status\_module --without-http-cache --with-http\_ssl\_module --with-http\_realip\_module
make
make install
Note: Downloading Nginx-related packages requires a public network environment

Configure the server to obtain the client information

Execute the following command to open the nginx.conf file. vi /path/server/nginx/conf/nginx.conf

Press i to enter the edit mode, and add new configuration fields and information after the following server configuration information.
NGINX
```
1server {
2    listen 80;  
3    server_name localhost;
4}
```

1. Obtain the source IP

Plain Text

1The configuration fields and information to be added in the server block:
2```NGINX
3set_real_ip_from  100.64.0.0/10;
4real_ip_header X-Forwarded-For;
5```
6 The configuration fields and information to be added in the location / block:
7 ```NGINX
8  location / {
9# Obtain real IP
10    set $real_ip $remote_addr;
11
12# If the realip module is enabled, the following variables can be used
13    # set $real_ip $realip_remote_addr;
14
15# Here, $real_ip can be used for further processing
16# For example, pass it to the real server or log it, etc.
17}
18```

Description
- You can add the proxy server's network segment to the set_real_ip_from <IP_cidr> setting to retrieve the proxy server's IP address. For example, include the reserved IP segment of the application BLB (100.64.0.0/10 is exclusive to the application BLB, and other users cannot use this segment, ensuring security).
- For an application IPv6 BLB, the network segment here is: 2403:ed40:f200::/40
- listen 80 If the listener port is not 80, replace it with the actual port of your real server.
- Separate multiple IP address fields using commas.

2. Obtain agreement information

The configuration fields and information to be added in the location / block:

Nginx

1        # Get the value of X-Forwarded-Proto
2        set $real_proto $http_x_forwarded_proto;
3# If X-Forwarded-Proto is not set, the actual protocol will be used
4        if ($real_proto = "") {
5            set $real_proto $scheme;
6        }
7# Now $real_proto contains X-Forwarded-Proto or the actual protocol
8# Here, $real_proto can be used for further processing
9# For example, determining whether it is HTTPS protocol, etc.

Press ESC to exit the edit mode.
Type :wq to save changes and leave the file.
Execute the following command to start Nginx.
/path/server/nginx/sbin/nginx
Execute the following command to view the access logs of Nginx, where you can obtain the real client IP and protocol.
cat /path/server/nginx/logs/access.log

Configure the Proxy Protocol to obtain client information

Step 1: Enable Proxy Protocol for the listener
Step 2: Enable Proxy Protocol on the real server
Step 3: Capture packets on the real server to obtain the ClientIP and verify that the real server has acquired the client real IP

Managing BLB via Terraform

Using IP Group Function to Mount Real Servers Across VPCs in Different Regions

BLB BLB