How do I get user IP address in Django?

Mastering the art of proxy-dealing and forwarded IPs

Remember, when a request has been on a tour across one or more proxies, the HTTP_X_FORWARDED_FOR header can accommodate multiple IP addresses, separated by commas. The client's actual IP is often the last one in this list. However, a reverse proxy setup may play hide and seek and stash the actual client IP at other positions. Hence, it's crucial to validate proxy trustworthiness and configurations always.

Consider using Django-ipware, a helper package designed for rescue. It provides a utility function get_client_ip(request) that fetches the client's IP address, handling multiple IPs in the X-Forwarded-For header and even respects custom order of trusted proxies and IP count.

Don't forget GeoIP compatibility

When dealing with geo-localization services, you need to ensure that the IP address you pass is not a private or internal one, which would be like showing an 'out of service' sign. So, make sure you are using the correct and compatible external IP.

Platform Specific Notes: Apache and Heroku

Running Django with an Apache server using reverse proxies? You may need to configure mod_rpaf to make sure that the IP address Django sees is the real client's IP and not the address of an imposter proxy.

If your Django app is living on platforms like Heroku, refer to their specific "dog-eared" documentation for details on how they handle IP addresses and which headers they recommend for use.

Protection while dealing with missing headers

In cases where HTTP_X_FORWARDED_FOR header is not present or could potentially return private IP addresses (like living in a no-Internet zone), it is essential to have a fail-safe mechanism that falls back to REMOTE_ADDR, the "home address" representing the directly connected client's IP.

Dealing with different IP retrieval scenarios

Django can find itself deployed in a diverse set of environments, each offering distinct challenges in IP detection:

Working with CDN or Load Balancer

When your server is operating with services like Cloudflare or is behind a load balancer, the HTTP_X_FORWARDED_FOR might contain a "guest list", carrying several IPs. It's essential to pick the right "guest' or knowing your infrastructure well to parse the list accurately.

Handling Distributed Systems

Distributed microservices architectures or cases where your Django app receives forwarded requests from internal services, IP headers can include unwanted visitors or internal IPs. Filtering these out maintains the integrity of client's IP data.

Dealing with Reverse Proxies

A tricky instance can be when Django is deployed with reverse proxies. In such cases, you must ensure that Django accepts the X-Forwarded-For header as this could be a security risk if altered by an attacker.

Supporting IPv4 and IPv6

IP addresses can come in different tastes - IPv4 or IPv6. Be prepared to handle both. Your server may see an IPv6 address if the user is on a modern network and if your server supports it.

Adopting Security Measures

Remember, IP addresses like any other input should always be treated as untrusted. Avoid using it directly for critical decisons without validation.

Best Practices and Edge Cases

For thorough understanding, always refer to Django's documentation and stay updated with best practices for changes in handling request metadata.

Django-ipware library provides an excellent out-of-the-box solution for most IP retrieval cases. Install with pip install django-ipware and rejoice, it comes with configurations for setting trusted proxies and a custom count of proxies to jump through.