Deep excavation of X-forwarded-for

First, related concepts

Proxy_set_header: rewrite a header of the message sent to Upsream server;

In Nginx we can use this command to customize the header in the request message.

$remote _addr: Client IP

Its value is not provided by the client, but the server is specified based on the IP of the client,

This refers to the client relative, when you visit a website browser, assume that there is no agent in the middle, then the site's Web server will set the value of $REMOTE_ADDR to your machine's IP, if you use a proxy, then your browser will first access the agent and then the proxy forwarded by the site So that the Web server will set $remote_addr as the IP of this proxy server

Second, the use of Nginx reverse proxy, back-end web How to get real client IP?

Environment:

Client: 192.168.100.88

Nginx Agent: 192.168.100.179

httpd2.2 Server: 192.168.100.173 (Note If the httpd version is 2.4, the method is different, the focus is not here, this is not considered)

Nginx Server: 192.168.100.180

Nginx Server: 192.168.100.10

1. First, you need to add a row of parameters on the configuration file nginx.conf on the Nginx Proxy server:

Location/{#root html; proxy_pass http://192.168.100.173; proxy_set_heade   R X-real-ip $remote _addr; #添加这行. By defining the X-real-ip (custom name, but this change in the back-end Nginx server How to set up to get to the real customer IP? The value of this variable is really the client IP passed to the backend web. Index index.html index.htm; 48}

Note: This line can be added to the http,server,location.

2. Back-end Web configuration

1) for the backend is httpd, the edited configuration file is found as follows:

Logformat "%h%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" Combined

Modify the '%h' in this line to '%{x-real-ip}i'

Logformat "%{x-real-ip}i%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" C ombined

Then access the 192.168.100.179 from the client,

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/76/43/wKioL1ZOjjGiufpuAADw8Ll9hwI680.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiol1zojjgiufpuaadw8ll9hwi680.jpg "/>

To view the access log for httpd:

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/76/44/wKiom1ZOjd3AwMR3AACjna32VaI940.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiom1zojd3awmr3aacjna32vai940.jpg "/>

At this point the backend httpd has been able to record the client real IP.

1) for the backend is httpd, edit the configuration file to add a row of parameters:

Set_real_ip_from 192.168.100.179;

Attention:

1, at this time the back-end Nginx compile must add through the --with-http_realip_module added ngx_http_realip_module module, otherwise it will be reported configuration syntax error, The module has been added by Nginx installed via the Epel source yum.

2, IP is the IP address of the Nginx proxy server, this line is added in Http,server,location can be.

Then access the 192.168.100.179 from the client, view the back-end nginx access log, at this time can record the client real IP.

Third, After many nginx reverse proxies, how does the backend Web get the real client IP?

multiple passes through X-REAL-IP?

Try the next is also possible, then why do not use this, incompatible with haproxy and other agents?

NGINX2 settings:

location / { 43              root   html; 44              proxy_pass http://192.168.100.173; 45             # proxy_set_header X-Forwarded-For  $proxy _add_x_forwarded_for; 46            set_real_ ip_from 192.168.100.179; 47             proxy_set_header  x-real-ip   $remote _addr; 48              index  index.html index.htm; 49          } 

Again to learn the next x-forwarded-for:

First look at the definition of x-forwarded-for:
x-forwarded-for: xff Header, which represents the client, which is the real IP on the request side of HTTP, is added only if the HTTP proxy or Load Balancer server is passed. It is not a standard request header information defined in the RFC,
The standard format is as follows:
x-forwarded-for:client1, Proxy1, Proxy2
as can be seen from the standard format, x-forwarded-for header information can be multiple, separated by commas,

The first is the real client IP, and the rest is the proxy or load-balanced IP address that was once passed, and several will appear after several .

when multiple Nginx proxies are passed, their the x-forwarded-for header information should be client ip,nginx1,nginx2, 、、、.

By default, Nginx does not x-forwarded-for Head does any processing unless the user uses the proxy_set_header parameter settings:
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;

$proxy _add_x_forwarded_for The variable contains "x-forwarded-for" in the client request header, separated from the $remote_addr with commas, and if there is no "x-forwarded-for" request header, then $proxy_add_x_forwarded_for equals $ Remote_addr.

$remote _addr The value of the variable is the IP of the client

There are two things that happen when Nginx sets X-forwarded-for equals $proxy_add_x_forwarded_for

1, Span style= "font-family: ' Microsoft Jas Black ', ' Microsoft Yahei '; Font-size:16px;color:rgb (0,112,192);" > If the request from NGINX1 does not set the X-forwarded-for header (usually this does not happen)

2 to Nginx2 we have set up a and the value is $proxy_add_x_forwarded_for, Then the content of X-forwarded-for becomes " client ip,nginx1 load Balancer server IP " Span style= "FONT-SIZE:16PX;" If this is the case, then the backend program obtains the client IP through x-forwarded-for, then The first item separated by commas can be

As stated in the last two points, if we know that NGINX1 set the x-forwarded-for information, and only the client real IP, then our NGINX2 load Balancer server can ignore the header, let it default.

in fact, there's another one in Nginx. $http _x_forwarded_for variable, the content stored in this variable is the X-FORWARDED-FOR information in the request. If the backend obtains x-forwarded-for information program compatibility is not good (does not take into account x-forwarded-for contains multiple IP cases), it is best not to set X-forwarded-for to $proxy _add_x _forwarded_for. Should be set to $http _x_forwarded_for or simply not set!

Deep excavation of X-forwarded-for