Shulou(Shulou.com)06/02 Report--

This article mainly shows you how to use the realip module of Nginx basic learning, the content is simple and easy to understand, I hope you can learn, after learning, there will be a harvest, the following let the editor take a look at it.

Realip module

Purpose: when the native Nginx is in the reverse proxy backend, you can get the real IP address of the user.

Use: the realip function requires Nginx to add a ngx_http_realip_module module, which is not compiled by default. If you need to add it, please add the-- with-http_realip_module option to enable it at compile time.

Realip scope

Set_real_ip_from, real_ip_header, and real_ip_recursive can all be used for http, server, and location zone configurations.

Interpretation of some parameters of realip

Set_real_ip_from: set reverse proxy server, that is, trust server IPreal_ip_header X-Forwarded-For: the user's real IP exists in the X-Forwarded-For request header real_ip_recursive: off: will take the last IP in the HTTP header specified by real_ip_header as the real IPon: the last IP in the HTTP header specified by real_ip_header that is not the trust server will be regarded as the real IP

Interpretation of X-Forwarded-For, X-Real-IP and Remote Address in http header

X-Forwarded-For is located in the HTTP request header and is an extended header of HTTP, which is used to represent the real IP of the HTTP client.

The format is as follows:

X-Forwarded-For: client, proxy1, proxy2

Nginx agents are generally configured to:

Proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for

Explanation:

X-Forwarded-For: appended by Nginx, but the previous part comes from the request header received by nginx, which is not very credible. Only those that conform to the IP format can be used, otherwise it is easy to cause XSS or SQL injection vulnerabilities. Remote Address: HTTP protocol does not have the concept of IP. Remote Address comes from a TCP connection, which represents the IP of a device that establishes a TCP connection with the server. Therefore, Remote Address cannot be forged. X-Real-IP: the HTTP proxy is used to represent the IP of the device with which the TCP connection is made, which may be another agent or a real client.

An example of realip function

Here is a simple architectural diagram:

Hypothesis 1:

1. If the Nginx does not use the realip module, the X-Forwarded-For request in the second Nginx is 1.1.1.1, but the remote_addr address is 2.2.2.2. In this case, the application service can obtain the user's real IP through the X-Forwarded-For field. However, there is a risk that if there are more layers of reverse proxy services in the middle, you will not be able to get the only user's real IP.

2. If Nginx uses the realip module and sets it as follows, Nginx will take the last IP of X-Forwarded-For, that is, 2.2.2.2, as the real IP. In the end, the address that the application service gets is 2.2.2.2, but in fact this is not the user IP.

Set_real_ip_from 2.2.2.2; set real estate partners from 2.2.2.3; real_ip_header Xmuri ForwardedMurray; real_ip_recursive off

3. If Nginx uses the realip module and sets it as follows; since 2.2.2.2 is the trust server IP,Nginx will continue to look forward and find that 1.1.1.1 is not the trust server IP, it is considered to be the real IP. But the fact is that 1.1.1.1 is the user IP. Finally, the application service also gets the only real IP of the user.

Set_real_ip_from 2.2.2.2; real_ip_header Xmuri realip Formula; real_ip_recursive on; above is about how to use the realip module in basic Nginx learning. If you have learned knowledge or skills, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.