Express.js: how to get remote client address
While the answer from @alessioalex works, there's another way as stated in the Express behind proxies section of Express - guide.
- Add
app.set('trust proxy', true)
to your express initialization code. - When you want to get the ip of the remote client, use
req.ip
orreq.ips
in the usual way (as if there isn't a reverse proxy)
Optional reading:
- Use
req.ip
orreq.ips
.req.connection.remoteAddress
does't work with this solution. - More options for
'trust proxy'
are available if you need something more sophisticated than trusting everything passed through inx-forwarded-for
header (for example, when your proxy doesn't remove preexisting x-forwarded-for header from untrusted sources). See the linked guide for more details. - If your proxy server does not populated
x-forwarded-for
header, there are two possibilities.- The proxy server does not relay the information on where the request was originally. In this case, there would be no way to find out where the request was originally from. You need to modify configuration of the proxy server first.
- For example, if you use nginx as your reverse proxy, you may need to add
proxy_set_header X-Forwarded-For $remote_addr;
to your configuration.
- For example, if you use nginx as your reverse proxy, you may need to add
- The proxy server relays the information on where the request was originally from in a proprietary fashion (for example, custom http header). In such case, this answer would not work. There may be a custom way to get that information out, but you need to first understand the mechanism.
- The proxy server does not relay the information on where the request was originally. In this case, there would be no way to find out where the request was originally from. You need to modify configuration of the proxy server first.
If you are running behind a proxy like NGiNX or what have you, only then you should check for 'x-forwarded-for'
:
var ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress
If the proxy isn't 'yours', I wouldn't trust the 'x-forwarded-for'
header, because it can be spoofed.
In nginx.conf
file: proxy_set_header X-Real-IP $remote_addr;
In node.js
server file: var ip = req.headers['x-real-ip'] || req.connection.remoteAddress;
note that express lowercases headers