Skip to content Skip to sidebar Skip to footer

Sometimes you need to get the IP address of the client that originally sent the request to your server. If you are on AWS infrastructure and you are using an Elastic Load Balancer, the usual way to get the IP address is to look at the header called X-Forwarded-For . See https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html#x-forwarded-for for reference.

Now in theory the client can manually set that header to any IP address and therefore spoof it. However, AWS will always append the original client IP address to the right of that header. That means, as long as you access the last entry of that string, it will be impossible for the client to spoof the IP address:

(-> (:headers request)
    (get "x-forwarded-for")
    (clojure.string/split #",")
    last))

Leave a comment