If your website is behind a reverse proxy (Nginx, Apache2, HA Proxy, pound, squid, …), you will find that the built in Session.RemoteAddress (or request.RemoteAddress) will give you the IP address of your reverse proxy, and not the client making the request. This function will try to help with that.
This will NOT work if you are using TCP or NAT port forwards.
Var RetVal As String = Session.RemoteAddress // IMPORTANT NOTE: This will only work where a reverse HTTP(S) proxy is being used. If your solution is based on: // * A TCP proxy, there will be no header, and the RemoteAddress will ALWAYS point to the TCP proxy server. // * Firewall port forwarding, there will also be NO header, but the RemoteAddress MAY point to a valid IP (or it may not). // - - - - - - - - - - START LOOKING FOR REVERSE PROXY ADDRESS // FrontEndProxies should be a comprehensive list of all reverse proxies. // If an IP address is in this list, we need to look for another IP. If not in this list, we assume that it's a valid IP address. // If we will only ever be accessed via a reverse proxy, we can safely ignore this first section. // Note spaces at the beginning and the end. This is to help find a full match and not a partial match. Var FrontEndProxies As String = " 127.0.0.1 x.x.x.x " If FrontEndProxies.IndexOf(" " + RetVal + " ") = -1 Then Return RetVal // Return address if it's not in a list of possible frontend proxies // - - - - - - - - - - STOP LOOKING FOR REVERSE PROXY ADDRESS //NOTE: Since you presumably set up the reverse proxy yourself, or had someone do it for you, or are using an existing service, // you should know which header is being used. This is here for you to find out in case you do not already know. Once you // know what is being used, comment out the rest. d("Session.RemoteAddress appears to be a reverse proxy. Looking for real IP...") RetVal = Session.Header("X-Real-IP") if RetVal <> "" Then d("Using X-Real-IP") Return RetVal end if RetVal = Session.Header("X-Forwarded-For").NthField(", ", 1) if RetVal <> "" Then d("Using X-Forwarded-For") Return RetVal end if RetVal = Session.RemoteAddress d("Using Session.RemoteAddress after all. Are you using a TCP proxy instead of a web proxy?") Return RetVal // Parts of this solution come from Tobias Bussman's code posted here: https://forum.xojo.com/t/reverse-proxy-ip-and-ssl/19096/3
One last note. If you are NOT using a reverse proxy, you really should consider doing so. While not required in some instances, in most instances a reverse proxy offers many benefits, including improved security and reduced server load.