The setup method for passing client IP when Nginx ACTS as a reverse proxy
- 2020-05-12 06:31:55
- OfStack
There is no log forwarding configuration in the default configuration file of nginx, which needs to be operated manually by us. Of course, the operation method of real server on the back end is different at the same time. Here we will illustrate several cases respectively.
nginx as the front end, forward the log to the back end nginx server:
The architecture requires the use of multi-level Nginx reverse proxy, but the client IP obtained by the back-end program is the IP of the front-end Nginx. The root of the problem is that the back-end Nginx failed to get the correct value when the client IP was taken from HTTP Header.
The same applies if the front end is Squid or another reverse proxy.
First, the front-end Nginx should be configured with the forwarding client IP:
location / {
proxy_pass http://localhost:8000;
# Forward the user's IP address to Rails
proxy_set_header X-Real-IP $remote_addr;
# needed for HTTPS
# proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}The back-end Nginx needs to install 1 Module: NginxHttpRealIpModule, which is not included by default when it is compiled, so it needs to recompile and install Nginx. When it is added to configure, with-http_realip_module will be added. When Nginx is upgraded or Module is added/deleted, it will support hot replacement, which can avoid service interruption.
After the upgrade, NginxHttpRealIpModule, set_real_ip_from refers to the IP of the front-end Nginx or Squid:
location / {
proxy_pass http://localhost:8000;
# Forward the user's IP address to Rails
proxy_set_header X-Real-IP $remote_addr;
# needed for HTTPS
# proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
# NginxHttpRealIpModule
set_real_ip_from 192.168.1.0/24;
set_real_ip_from 192.168.2.1;
real_ip_header X-Real-IP;
}Finally, remember reload Nginx config
nginx as the front end, forward the log to the back end apache server:
The apache log has %h by default to specify your ip address for the visiting client, but the ip address obtained by %h using the nginx proxy will not be correct.
This requires setting the X-Forwarded-For parameter to the nginx and apache profiles to get the client's true ip address. For clients that use a reverse proxy, trace the true ip address.
/ usr/nginx/conf/nginx conf add the following parameters:
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
Simultaneous modification:
server {
listen 80;
server_name The domain name ;
proxy_redirect off;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Host $host;
proxy_pass http:// The domain name ;
}
access_log off;
}
Restart nginx to enable the configuration.
apache side need to install a 3rd party modules "mod_rpaf", the official web site: http: / / stderr net/apache/rpaf /
wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
tar zxvf mod_rpaf-0.6.tar.gz
cd mod_rpaf-0.6
/opt/apache/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
Modify apache configuration/usr/apache2 / conf/httpd conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips ip address #Nginx Of the host server IP
RPAFheader X-Forwarded-ForRestart apache and view the log to see that the real ip has been obtained from the log.
nginx as the front end, forward the log to the back end IIS server:
If iis is placed after the reverse proxy, ip in the log is ip of the reverse proxy server, not ip of the real user. To record ip of the user, you need to do two things.
1. In the reverse agent setting X-Forwarded-For segment, the following is the configuration example under nginx:
server
{
location
{
...
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
...
}
}
2. Install the following isapi filter on iis site, which is found in the development forum of f5. According to the developers, it is to solve the problem that iis cannot record the user ip after it is placed in f5, -_-# regardless of whether it is f5 or nginx or squid or haproxy. You can use both. It should be good. After loading, restart iis and you're done.
http: / / devcentral. f5. com weblogs/Joe archive / 2009/08/19 / x_forwarded_for_log_filter_for_windows_servers aspx
Looking back at the log of iis, the ip in it is already the real ip of the user.