How to Preserve the Real Client IP Behind Nginx and Retrieve It in Java

When Nginx acts as a reverse proxy, the original client IP can be lost because the request reaching the application server appears to come from the Nginx host. To retain the real IP, add the X-Real-IP or X-Forwarded-For header in the Nginx configuration.

server {
    listen 80;
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend_server;
    }
}

Replace http://backend_server with the actual address of your backend service and ensure the application or framework is configured to read these headers.

In a Java servlet environment, you can obtain the client IP by inspecting the same headers. The following utility method checks X-Forwarded-For first and falls back to request.getRemoteAddr() if the header is absent.

import javax.servlet.http.HttpServletRequest;

public class NetworkUtils {
    public static String getClientIp(HttpServletRequest request) {
        String xForwardedForHeader = request.getHeader("X-Forwarded-For");
        if (xForwardedForHeader == null) {
            return request.getRemoteAddr();
        } else {
            return xForwardedForHeader.split(",")[0].trim();
        }
    }
}

This method returns the first IP address in the X-Forwarded-For list, which is typically the original client IP, while request.getRemoteAddr() returns the IP of the immediate peer (often the proxy).

Be cautious when trusting X-Forwarded-For from untrusted sources, as it can be spoofed; ensure the application runs behind trusted proxies and validate the header values as needed.