Client IP

Documentation Index

Fetch the complete documentation index at: https://docs.esperr.com/llms.txt

Use this file to discover all available pages before exploring further.

​

What is a Client IP?

​

Understanding IP Addresses

​

IPv4 vs IPv6

• IPv4: Traditional format like 192.168.1.1 (4 billion addresses)
• IPv6: Newer format like 2001:0db8:85a3::8a2e:0370:7334 (340 undecillion addresses)

​

Public vs Private IPs

• Public: Routable on internet (8.8.8.8)
• Private: Internal networks (10.x.x.x, 192.168.x.x, 172.16-31.x.x)

​

Special IP Ranges

• Localhost: 127.0.0.1 (the computer itself)
• Documentation: 192.0.2.0/24 (example IPs)
• Cloudflare: 1.1.1.1 (DNS)
• Google DNS: 8.8.8.8 (DNS)

​

How IPs Work with Web Traffic

1. Direct Connection: Client IP is straightforward
2. Behind NAT: Multiple users share one public IP
3. Through Proxy: Proxy IP appears as client
4. Via CDN: CDN forwards real IP in headers
5. Using VPN: VPN server IP masks real location

​

Using Client IP in Policies

​

Basic Examples

Field Type: Client IP
Operator: equals
Value: 203.0.113.5
Action: Block

Field Type: Client IP
Operator: not in range
Value: 10.0.0.0/8
AND
Field Type: Request Path
Operator: starts with
Value: /internal
Action: Block

​

Advanced Patterns

Field Type: Client IP
Operator: in country
Value: CN, RU, KP
Action: Challenge

Field Type: Client IP
Operator: any
Window: 1 minute
Threshold: 100
Action: Challenge

​

Common IP Patterns

​

Suspicious Patterns

• Rapid location changes: Same session, different countries
• Impossible travel: Login from NYC, then Tokyo 1 hour later
• Data center IPs: For consumer services
• Known bad IPs: Threat intelligence lists

​

Legitimate Patterns

• Mobile networks: IPs change frequently
• Corporate VPNs: Shared IPs for employees
• Public WiFi: Many users, one IP
• CDN/Proxy: Headers show real IP

​

Best Practices

​

DO:

• Use IP ranges instead of individual IPs when possible
• Consider proxy headers like X-Forwarded-For
• Combine with other signals for better accuracy
• Allow for IP changes in mobile scenarios
• Maintain IP allowlists for trusted sources
• Monitor before blocking to understand patterns

​

DON’T:

• Rely on IP alone for user identification
• Block entire countries without business reason
• Ignore IPv6 - increasingly common
• Trust client-provided IPs in headers
• Forget about shared IPs - NAT, public WiFi

​

Working with Proxies and CDNs

​

Real IP Headers

# Check various headers for real IP
X-Forwarded-For: client, proxy1, proxy2
X-Real-IP: client
CF-Connecting-IP: client # Cloudflare
True-Client-IP: client # Akamai

​

Policy for Real IP

Field Type: Header
Field Reference: X-Forwarded-For
Operator: starts with
Value: 10.0.0
Action: Allow # Internal network through proxy

​

Geographic Considerations

​

Country-Based Policies

# Block high-risk countries for payment
Field Type: Request Path
Operator: equals
Value: /checkout
AND
Field Type: Client IP Country
Operator: in
Value: [high_risk_countries]
Action: Challenge

​

Compliance Requirements

# GDPR compliance - EU traffic only
Field Type: Client IP Region
Operator: not equals
Value: EU
AND
Field Type: Request Path
Operator: starts with
Value: /eu-services
Action: Block

​

IP Forensics

​

Troubleshooting

• Check proxy/CDN configuration
• Verify header extraction order
• Confirm load balancer settings
• Test with known IP sources

• Shared IPs (offices, cafes)
• VPN users (privacy-conscious)
• Mobile network IP changes
• Proxy/CDN misconfiguration

​

Advanced Patterns

​

Related Fields

• Headers - Real IP often in headers
• User Agent - Combine for device fingerprinting
• Cookies - Track users across IP changes
• Timestamp - Detect impossible travel