Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to obtain the real source ip after nginx passes through multi-layer agents. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

problem

Nginx takes $remote_addr as the real ip, but in fact, $http_X_Forwarded_For is the user's real ip,$remote_addr, just the address of the agent layer above.

Solution:

Add in the http module

Set_real_ip_from 172.17.10.125; # the upper layer proxy IP address real_ip_header Xmuri Forwarded real estate recursive on

After adding, start the nginx error report:

Nginx: [emerg] unknown directive "set_real_ip_from" in / home/lnidmp/nginx/conf/nginx.conf:26

Need to add realip module, recompile nginx

1 、 cd / usr/local/nginx-1.15.12

2. / configure-prefix=/usr/cmcc/nginx-with-http_stub_status_module-with-http_ssl_module-with-http_realip_module

3. Make & & make install

Warm reminder:

1. Set_real_ip_from refers to accepting the trust from which former agent to obtain the real user ip

2. Real_ip_header refers to the user ip transmitted by the former agent from which http header that received the message.

3. Whether real_ip_recursive is recursively excluded until the user ip is obtained (default is off)

First, real_ip_header specifies a http header name, which defaults to X-Real-Ip. Assuming that the default value is used, nginx will check the http header X-Real-Ip after receiving the message.

(1) if there is an IP, it will check whether the sender's ip is in the trust ip list specified by set_real_ip_from. If it is trusted, it will assume that the IP value in this X-Real-Ip is the real IP value of the user told by the former agent, so it will assign the value to its own $remote_addr variable; if it is not trusted, it will not be processed, then $remote_addr is still the sender's ip address.

(2) if X-Real-Ip has multiple IP values, for example, the previous agent is set like this: proxy_set_header X-Real-Ip $proxy_add_x_forwarded_for

What you get is a string of IP, so the value of real_ip_recursive is crucial at this point. Nginx will compare the ip in set_real_ip_from 's trust list from right to left of the ip list.

If real_ip_recursive is off, then when the rightmost IP is found to be the trust IP, the next IP (the second on the right) is considered to be the user's real IP

If real_ip_recursive is on, it will be compared from right to left until you find an IP that is not trusted.

Then copy the IP value to $remote_addr as well.

The production nginx configuration file is as follows:

User www;worker_processes 10 is responsible for the errorship log logs/error.log;#error_log logs/error.log notice;#error_log logs/error.log info;error_log / data/logs/nginx_error.log crit;#pid logs/nginx.pid;events {use epoll; worker_connections 51200;} http {include mime.types; default_type application/octet-stream # log_format main'$remote_addr-$remote_user [$time_local] "$request" #'$status $body_bytes_sent "$http_referer" #'"$http_user_agent"$http_x_forwarded_for"; # access_log logs/access.log main; server_names_hash_bucket_size 128; server_tokens off; expires 1h; sendfile off; tcp_nopush on; fastcgi_connect_timeout 1200s; fastcgi_send_timeout 1200s; fastcgi_read_timeout 1200s Fastcgi_buffer_size 128k; fastcgi_buffers 8 128k / 8 128 fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; keepalive_timeout 65; tcp_nodelay on; error_page 404 /; gzip on; gzip_min_length 2048; gzip_buffers 4 16k; gzip_http_version 1.1; gzip_types text/plain css html application/xml application/x-javascript; set_real_ip_from upper layer proxy IP address; real_ip_recursive on; real_ip_header X-Forwarded-For Log_format access'$remote_addr-$remote_user [$time_local] "$request"'$status $body_bytes_sent "$http_referer"'"$http_user_agent" $http_x_forwarded_for' # include # include conf.d/*.conf } this is the end of the article on "how to obtain the real source ip after nginx passes through multi-layer agents". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.