Getting the Clients IP Address Using Lucee and ColdFusion
|
Apr 5 |
As a long-term ColdFusion developer, I have used CGI environment variables for the last twenty years to extract IP addresses and client variables. However, in this day and age, getting the IP address is much more complex and is no longer a trivial issue.
Table of Contents
- Background
- CGI Environment Variables are Outdated and Have Security Risks
- Using ColdFusion/Lucee to Extract Client Information From HTTP Headers
- The IP Address and Client Information May Not Be Available in the Header
- How to Get the Client IP
- A ColdFusion/Lucee Script to get the Client IP
- Further Reading
Background
When I first started programming, ColdFusion made it easy to extract client information using CGI environment variables. For example, getting the client IP address was simple—you only needed to use the remote_addr CGI environment variable. However, using CGI environment variables today is antiquated and no longer the preferred way to extract client information.
When programming a visitor log for Galaxie Blog (the software that drives the blog you're looking at now), I tried using this CGI variable to extract the client IP and quickly learned I was getting garbage data. Every user seemed to be coming from a blank IP, or worse,127.0.0.1!
CGI Environment Variables are Outdated and Have Security Risks
While the scope of this article is extracting client data, such as getting the IP and browser information, CGI variables are an outdated technology with several risks. GCI environment information is less reliable and efficient than HTTP headers, which use a newer technology and are an adopted standard for passing information between the client and server.
CGI environment variables also do not always work, especially when proxy servers handle networking traffic. The HTTP header standard offers flexibility when passing client data in various networking environments. If available, the HTTP headers information is also more secure and reliable.
Using ColdFusion/Lucee to Extract Client Information From HTTP Headers
Ironically, Lucee and ColdFusion document how to get HTTP header information using the GetHTTPRequestData method, but they do not provide detailed examples of extracting the actual values. One method to acquire the client IP address is:
getHTTPRequestData()['headers']['x-forwarded-for']However, as we will see, more methods are available.
The IP Address and Client Information May Not Be Available in the Header
While getting client information from the HTTP Headers is preferred, it is up to the network administrators to properly configure the server's headers, and the IP address and client information may not be available. If client information is available, you may have to look in multiple spots to find this information.
It should also be noted that the IP address and client data are unreliable even if the server is configured correctly to pass this information. No matter what method you use, the IP address is never guaranteed to be authentic!
How to Get the Client IP
Using the CGI.Remote_Addr Environment Variable
The client IP address may be available using the CGI Remote_Addr environment variable. However, this may also be the IP address of the proxy server and not the real client IP. If you use the CGI.remote_addr and notice that your logs contain the same IP address, your web server is likely behind a proxy server.
<cfset clientIp = CGI.remote_addr>Using X-Fowarded-For
The X-Forwarded-For HTTP Header key is the most widely used method for extracting the client's IP. However, this is not a formal standard, and multiple IP addresses can exist. If there are multiple IPs, the originating client IP is usually the first IP in the comma-delimited list. See https://en.wikipedia.org/wiki/X-Forwarded-For for more information.
<cfset clientIp = listGetAt( getHTTPRequestData()['headers']['x-forwarded-for'], 1 )>The X-Real-Ip
The X-Real-Ip stores the client IP when load balancing is used, or an optional library is installed and configured with nginx servers.
<cfset clientIp = getHttpRequestData().headers["x-real-ip"]>Using the CF-Connecting-IP Key
The CF-Connecting-IP contains the client IP when your web server is behind a Cloudflare proxy. Cloudflare recommends using this key if available; however, after reading several threads on Reddit, you may have to upgrade your plan to use this key, and Cloudflare always seems to use the same value for the more commonly used X-Forwarded-For key.
<cfset clientIp = getHttpRequestData().headers["cf-connecting-ip"]>Using Fastly-Client-Ip
Like the CF-Connecting-IP, the fastly-client-ip is a proprietary key that stores the client IP when Fastly proxy servers are used.
<cfset clientIp = getHTTPRequestData()['headers']['fastly-client-ip']>Using the Forwarded Key
The forwarded HTTP header is a new standard for getting the client's IP. However, it is not frequently used and has other key-value pairs: by, for, host, and proto. All key value pairs are optional and can be used in multiple ways. I have never seen this header key used yet and may document it more in the future.
A ColdFusion/Lucee Script to get the Client IP
Based upon my current research, the following script can be used to get the most authorative IP.
<!--- Get the HTTP Headers --->
<cfset httpHeaders = getHTTPRequestData()["headers"]>
<!---
If you already know what key you want, and that your server supports the the key, you can skip this step and use:
<cfset ipAddress = getHTTPRequestData()["headers"]["x-forwarded-for"]> replace x-forwarded-for with your own desired key.
--->
<!--- Determine if the x-forwarded-for key exists. --->
<cfif structKeyExists(httpHeaders,"x-forwarded-for")>
<!--- The x-forwarded-for is by far the most common header to get the IP. However, it still may not exist, espcially on Windows based servers! --->
<cfset ipAddress = httpHeaders["x-forwarded-for"]>
<cfelseif structKeyExists(httpHeaders,"x-real-ip")>
<!--- The x-real-ip is used when load balancing or on nginx servers --->
<cfset ipAddress = httpHeaders["x-real-ip"]>
<!--- This is a proprietary cloudfare header. From what I read, CloudFlare will still configure the x-forwarded-for along with this key and some have complained that the cf-connecting key is only available with a upgraded premium plan --->
<cfelseif structKeyExists(httpHeaders,"cf-connecting-ip")>
<cfset ipAddress = httpHeaders["cf-connecting-ip"]>
<!--- This is a proprietary fastly header --->
<cfelseif structKeyExists(httpHeaders,"fastly-client-ip")>
<cfset ipAddress = httpHeaders["fastly-client-ip"]>
<cfelse>
<cfset ipAddress = CGI.Remote_Addr>
</cfif>
<cfoutput>ipAddress: #ipAddress#</cfoutput>Further Reading
Tags
Client IP Address, ColdFusion, Lucee
|
|
|
Hi, my name is Gregory! I have several degrees in computer graphics and multimedia authoring, and I have been developing enterprise web applications for the last 25 years. I love web technologies and the outdoors and am passionate about giving back to the community. |
|
This entry was posted on April 5, 2025 at 3:52 PM and has received 36 views.