需求分析
- 目标:从 Nginx 访问日志中提取“真实客户端 IPv4”
- 规则:
- 若存在 X-Forwarded-For,则优先选取其中“首个公网 IPv4”
- 仅匹配公网 IPv4,跳过以下网段:127.0.0.0/8(回环)、10.0.0.0/8、172.16.0.0/12、192.168.0.0/16(私有)、169.254.0.0/16(链路本地,附加排除,常见于真实环境)
- 若 X-Forwarded-For 不存在或其中没有公网 IPv4,则回退到日志行首的客户端 IP(同样仅限公网)
- 日志示例(需命中):
- 198.51.100.23 - - [2025-06-01T12:41:22+08:00] "GET /api" 200
- 203.0.113.5 - - [2025-06-01] "GET /" 200 "X-Forwarded-For: 10.0.0.2, 203.0.113.5"
正则表达式
最终组合(展示为 Java 中的字符串):
- (?:\bX-Forwarded-For\s*:\s*(?:\s*(?:PRIVATE_IP)\s*,)\s(?PUBLIC_IP)\b)|(?:^\s*(?PUBLIC_IP)\b)
捕获组说明:
- 命名组 xff:当存在 X-Forwarded-For 且其中包含公网 IPv4 时,捕获该列表里“首个公网” IP
- 命名组 remote:当未从 X-Forwarded-For 取到公网 IP 时,回退捕获行首的公网 IP
- 使用逻辑:优先取 group("xff"),若为空再取 group("remote")
Java代码实现
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class NginxClientIpExtractor {
// 八位组 0-255
private static final String OCTET = "(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)";
// 通用 IPv4
private static final String IPV4 = OCTET + "(?:\\." + OCTET + "){3}";
// 需跳过的私有/回环/链路本地网段
private static final String PRIVATE_IP =
"(?:"
+ "10\\." + OCTET + "\\." + OCTET + "\\." + OCTET
+ "|192\\.168\\." + OCTET + "\\." + OCTET
+ "|172\\.(?:1[6-9]|2\\d|3[0-1])\\." + OCTET + "\\." + OCTET
+ "|127\\." + OCTET + "\\." + OCTET + "\\." + OCTET
+ "|169\\.254\\." + OCTET + "\\." + OCTET
+ ")";
// 公网 IPv4(用前缀否定前瞻排除上述网段)
private static final String PUBLIC_IPV4 =
"(?!(?:10|127)\\.|192\\.168\\.|169\\.254\\.|172\\.(?:1[6-9]|2\\d|3[0-1])\\.)" + IPV4;
// 完整提取模式:
// 1) XFF: 跳过若干私网IP + 捕获首个公网IP 到命名组 xff
// 2) 行首: 捕获公网IP 到命名组 remote
private static final String REGEX =
"(?:\\bX-Forwarded-For\\s*:\\s*(?:\\s*(?:" + PRIVATE_IP + ")\\s*,)*\\s*(?<xff>" + PUBLIC_IPV4 + ")\\b)"
+ "|(?:^\\s*(?<remote>" + PUBLIC_IPV4 + ")\\b)";
// 编译 Pattern(大小写不敏感即可匹配 X-Forwarded-For 大小写变体)
private static final Pattern PATTERN = Pattern.compile(REGEX, Pattern.CASE_INSENSITIVE);
/**
* 从单行 Nginx 访问日志中提取真实客户端公网 IPv4。
* 优先 X-Forwarded-For 中首个公网 IP;否则回退到行首公网 IP;都没有则返回 Optional.empty()。
*/
public static Optional<String> extractClientIp(String logLine) {
if (logLine == null || logLine.isEmpty()) {
return Optional.empty();
}
Matcher m = PATTERN.matcher(logLine);
if (!m.find()) {
return Optional.empty();
}
String ip = m.group("xff");
if (ip == null) {
ip = m.group("remote");
}
return Optional.ofNullable(ip);
}
// 示例演示
public static void main(String[] args) {
String l1 = "198.51.100.23 - - [2025-06-01T12:41:22+08:00] \"GET /api\" 200";
String l2 = "203.0.113.5 - - [2025-06-01] \"GET /\" 200 \"X-Forwarded-For: 10.0.0.2, 203.0.113.5\"";
System.out.println(extractClientIp(l1).orElse("<none>")); // 198.51.100.23
System.out.println(extractClientIp(l2).orElse("<none>")); // 203.0.113.5
}
}
使用说明
- 将 NginxClientIpExtractor 集成到日志处理流水线中,对每一条日志调用 extractClientIp(line)
- 返回值为 Optional,存在时即为“真实客户端公网 IPv4”
- 已内建优先级:X-Forwarded-For 首个公网 IP > 行首公网 IP
- 性能建议:保持 PATTERN 单例复用;避免在高频路径重复编译
- 适用范围:IPv4;若需要 IPv6 或 Forwarded 规范头(for=...),需扩展
测试示例
使用 JUnit 5 的单元测试,覆盖边界与典型场景。
import org.junit.jupiter.api.Test;
import java.util.Optional;
import static org.junit.jupiter.api.Assertions.*;
public class NginxClientIpExtractorTest {
@Test
void test_NoXff_UseRemoteAddr_Public() {
String line = "198.51.100.23 - - [2025-06-01T12:41:22+08:00] \"GET /api\" 200";
assertEquals(Optional.of("198.51.100.23"), NginxClientIpExtractor.extractClientIp(line));
}
@Test
void test_Xff_FirstPublicChosen() {
String line = "203.0.113.5 - - [2025-06-01] \"GET /\" 200 \"X-Forwarded-For: 10.0.0.2, 203.0.113.5\"";
assertEquals(Optional.of("203.0.113.5"), NginxClientIpExtractor.extractClientIp(line));
}
@Test
void test_Xff_AllPrivate_FallbackToRemotePublic() {
String line = "203.0.113.9 - - [2025-06-01] \"GET /\" 200 \"X-Forwarded-For: 10.0.0.1, 172.31.2.3, 192.168.1.9\"";
assertEquals(Optional.of("203.0.113.9"), NginxClientIpExtractor.extractClientIp(line));
}
@Test
void test_NoXff_RemoteIsPrivate_NoResult() {
String line = "10.1.2.3 - - [2025-06-01] \"GET /\" 200";
assertTrue(NginxClientIpExtractor.extractClientIp(line).isEmpty());
}
@Test
void test_Xff_SkipLoopback_ThenPublic() {
String line = "10.0.0.9 - - [2025-06-01] \"GET /\" 200 \"X-Forwarded-For: 127.0.0.1, 198.51.100.77\"";
assertEquals(Optional.of("198.51.100.77"), NginxClientIpExtractor.extractClientIp(line));
}
@Test
void test_Xff_SpacesAndMixed() {
String line = "203.0.113.10 - - [2025-06-01] \"GET /\" 200 \"X-Forwarded-For: 10.0.0.1 , 203.0.113.88 , 192.168.1.1\"";
assertEquals(Optional.of("203.0.113.88"), NginxClientIpExtractor.extractClientIp(line));
}
@Test
void test_172_15_IsPublic_NotExcluded() {
String line = "172.15.1.2 - - [2025-06-01] \"GET /\" 200";
assertEquals(Optional.of("172.15.1.2"), NginxClientIpExtractor.extractClientIp(line));
}
@Test
void test_169_254_Excluded() {
String line = "169.254.1.2 - - [2025-06-01] \"GET /\" 200";
assertTrue(NginxClientIpExtractor.extractClientIp(line).isEmpty());
}
@Test
void test_MalformedOrEmptyLine() {
assertTrue(NginxClientIpExtractor.extractClientIp("").isEmpty());
assertTrue(NginxClientIpExtractor.extractClientIp(null).isEmpty());
}
}
预期结果(部分):
- 示例1返回 198.51.100.23
- 示例2返回 203.0.113.5
- 所有 private/loopback/link-local-only 情况返回 empty
- 172.15.x.x 作为公网返回该地址
最佳实践
- 预编译并复用 Pattern,避免每行重复编译造成 CPU 消耗
- X-Forwarded-For 中仅解析第一个公网地址,避免“任意一个公网地址”误判(遵循标准代理链语义)
- 若业务还需识别 CGNAT(100.64.0.0/10)或保留地址(0.0.0.0/8、240.0.0.0/4 等),可在 PRIVATE_IP 与 PUBLIC_IPV4 的否定前瞻中补充排除前缀
- 真实生产中可能存在 IPv6 或 Forwarded 标准头(Forwarded: for=...);如需支持,请并行增加 IPv6 模式与对应解析逻辑
- 记录无法解析或无公网 IP 的行,便于上游网关/代理配置核查
