Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces in detail "how to configure the proxy protocol protocol in nginx", the content is detailed, the steps are clear, and the details are handled properly. I hope that this article "how to configure the proxy protocol protocol in nginx" can help you solve your doubts.

Application of proxy protocol in nginx

We know that nginx is a web server and proxy server, which usually works behind proxy server or load balancing software (Haproxy,Amazon Elastic Load Balancer (ELB).

The client first requests proxy server or LSB load balancing software, and then goes to nginx for real web access.

Because of the multi-layer software, some client information such as ip address and port number may be hidden, which is disadvantageous to our problem analysis and data statistics. Because for nginx, we want to be able to get the real client IP address, so that we can get the real request environment.

PROXY protocol is needed in this case.

If the proxy or LSB mentioned above all implement the PROXY protocol protocol, be it HTTP, SSL, HTTP/2, SPDY, WebSocket or TCP protocol, nginx can get the original IP address of the client and perform some special operations according to the original IP address, such as blocking malicious IP access, displaying different languages or pages according to IP, or simpler logging and statistics.

Of course, if you want to support PROXY protocol, the version of nginx is also required. The specific version requirements are as follows:

To support PROXY protocol v2, you need NGINX Plus R16 or NGINX Open Source 1.13.11.

To support ROXY protocol for HTTP, you need either NGINX Plus R3 or NGINX Open Source 1.5.12.

To support TCP client-side PROXY protocol, you need either NGINX Plus R7 or NGINX Open Source 1.9.3.

To support PROXY protocol for TCP, you need either NGINX Plus R11 or NGINX Open Source 1.11.4.

In nginx, you can obtain the corresponding client information through the following variables, as shown below:

$proxy_protocol_addr and $proxy_protocol_port represent the IP address and port number of the original client, respectively.

$remote_addr and $remote_port represent the IP address and port of load balancer.

If you use the RealIP extension module, the module overrides the values of $remote_addr and $remote_port and replaces them with the IP address and port number of the original client.

Then use $realip_remote_addr and $realip_remote_port to represent the IP address and port of load balancer.

In the RealIP extension module, the meaning of $proxy_protocol_addr and $proxy_protocol_port remains the same, but the IP address and port number of the original client.

Configure to use proxy protocol in nginx

Above we mentioned the basic application of proxy protocol in nginx, let's talk about how to configure it in nginx.

Enable proxy protocol in nginx

If your nginx is already a proxy protocol-enabled version, it's easy to enable proxy protocol by adding proxy_protocol to the listen in server, as shown below:

Http {#... Server {listen 80 proxy_protocol; listen 443 ssl proxy_protocol; #...}} stream {#... Server {listen 112233 proxy_protocol; #...}}

Perhaps what you are familiar with is http block, which represents nginx's support for http/https. The stream module may be unfamiliar to everyone, which is the support for the tcp/udp protocol provided by nginx.

Through the above configuration, nginx can support proxy protocol in both tcp/udp and http/https protocols.

Use Real-IP modules

Real-IP modules is a module that comes with nginx. You can check whether the real-ip module is installed in nginx by using the following command:

Nginx-V2 > & 1 | grep-'http_realip_module'nginx-V2 > & 1 | grep -' stream_realip_module'

If the version you are using does not have real ip, don't worry, you may need to compile from the source code.

During the compilation process, we need to execute a configure command in which you can specify the functions to be turned on, such as stream or http_ssl_module:

$. / configure--sbin-path=/usr/local/nginx/nginx--conf-path=/usr/local/nginx/nginx.conf--pid-path=/usr/local/nginx/nginx.pid--with-pcre=../pcre-8.44--with-zlib=../zlib-1.2.11--with-http_ssl_module--with-stream--with-mail

If you want to enable the real-ip feature, you can add:

-- with-http_realip_module

If nginx runs after SLB or proxy, you can specify the IP range of the proxy or load balancer server through the set_real_ip_from command, as shown below:

Server {#... Set_real_ip_from 192.168.1.0 Compact 24; #...}

Then we need to replace the IP address of proxy or SLB with the address of the real client, so we can use:

Http {server {#... Real_ip_header proxy_protocol;}} request forwarding

Both http and stream block may encounter requests being forwarded to subsequent upstream. For upstream, if they want to receive the real client IP address instead of proxy or slb address, you can use the following settings to solve the problem:

Http {proxy_set_header X-Real-IP $proxy_protocol_addr; proxy_set_header X-Forwarded-For $proxy_protocol_addr;} stream {server {listen 12345; proxy_pass example.com:12345; proxy_protocol on;}}

Http and stream are set up differently.

Log record

Logging is a very important function, which is very useful for locating problems and performing statistical analysis of data. of course, what we need is the real client IP address.

We can log the corresponding logs in http and stream block by using the variable $proxy_protocol_addr, as shown below:

Http {#... Log_format combined'$proxy_protocol_addr-$remote_user [$time_local]'"$request" $status $body_bytes_sent''"$http_referer"$http_user_agent";} stream {#. Log_format basic'$proxy_protocol_addr-$remote_user [$time_local]'$protocol $status $bytes_sent $bytes_received''$session_time' } after reading this, the article "how to configure the use of proxy protocol protocol in nginx" has been introduced. If you want to master the knowledge of this article, you still need to practice and use it. If you want to learn more about related articles, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.