Explain the configuration method of Nginx obtaining User IP when using CDN acceleration _nginx

About CDN
content distribution Network (contents delivery network or distribution network, abbreviated: CDN) refers to a computer network connected to each other via the Internet, using servers closest to each user, faster, More reliably send music, pictures, videos, applications, and other files to users to deliver high-performance, scalable, and low-cost network content to users.

The total load capacity of the content distribution network can be larger than the maximum bandwidth of a single backbone. This allows content distribution networks to host more users than traditional single servers. In other words, if the server with 100Gbps processing capacity in only 10Gbps bandwidth of the data center, it can only play the capacity of 10Gbps. But if you put it in 10 locations with 10Gbps, the load of the entire system can reach 10*10gbps.

At the same time, the server will be placed in different locations, can reduce the interconnection of traffic, and thus reduce bandwidth costs.

For TCP transmissions, TCP speed (throughput) is affected by latency (latency) and packet loss rates (packet loss). To improve these negative factors, the content distribution network usually assigns a closer, smoother server node to transmit data to the user. Although distance is not an absolute factor, it can improve performance as much as possible and users will feel smoother. This makes it easier to drive some of the more high-bandwidth applications (video that transmits high-definition images).

Content distribution network Another advantage is that there is off-site backup. When a server fails, the system will invoke server services from other neighboring areas, providing close to 100% reliability.

In addition, the content distribution network provides greater control over the service provider. People who provide services can be adjusted for customers, regions, or other factors.

Content distribution network nodes are placed in multiple locations, on several different networks. These nodes dynamically transmit content to each other, optimize the user's downloading behavior, reduce the bandwidth cost of the content provider, improve the user's downloading speed and improve the stability of the system.

The number of nodes required for the content distribution network varies according to the requirements, and there may be tens of thousands of servers depending on the size of the object you want to serve.

To obtain the real IP address of the user under CDN Nginx
with the rapid rise of nginx, more and more companies will replace Apache into Nginx. At the same time, more and more people use Nginx as load balancing, and the agent may also be preceded by CDN acceleration, but also encountered a problem: Nginx How to obtain the user's real IP address,
If the backend real server is Nginx, then keep looking down.
Instance environment:
User IP 120.22.11.11
CDN Front-End 61.22.22.22
CDN Relay 121.207.33.33
Company Nginx Front-End Agent 192.168.50.121 (extranet 121.207.231.22)
1, using CDN Custom IP header to obtain
If your CDN vendor uses Nginx, then assign the $REMOTE_ADDR to your assigned header on Nginx, as follows:

Proxy_set_header Remote-user-ip $remote _addr;

Back-end PHP code getremoteuserip.php

<?php
  $ip = getenv ("Http_remote_user_ip");
  echo $ip;  
? >

The results of the visit to getremoteuserip.php are as follows:

120.22.11.11//access to the real user IP, if the CDN can give the definition of this head, then this method is the best

2. Obtain IP address via http_x_forwarded_for
in general, CDN Server will send Http_x_forwarded_for headers, this is an IP string, the backend of the real server to get Http_x_forwarded_for head, Intercept string The first IP that is not unkown is the real IP address of the user, for example:
120.22.11.11,61.22.22.22,121.207.33.33,192.168.50.121 (user Ip,cdn front-end IP,CDN relay, company Nginx agent)
getfor.php

<?php
  $ip = getenv ("http_x_forwarded_for");
  echo $ip;
? >

The results of the access getfor.php are as follows:

120.22.11.11,61.22.22.22,121.207.33.33,192.168.50.121

If you are a PHP programmer, you get the first IP address that is not unknow, this is 120.22.11.11.
3. Use Nginx module realip get User IP address
when installing the Nginx, add the Realip module, my parameters are as follows:

  ./configure--prefix=/usr/local/nginx-1.4.1--with-http_realip_module

Real Server Nginx Configuration

  server {
    listen    ;
    server_name www.jb51.net;
    Access_log/data/logs/nginx/www.jb51.net.access.log main;
 
    Index index.php index.html index.html;
    root/data/site/www.jb51.net;
 
    Location/
    {
        root/data/site/www.jb51.net;
    }
    Location =/getrealip.php
    {
        set_real_ip_from 192.168.50.0/24;
        Set_real_ip_from 61.22.22.22;
        Set_real_ip_from 121.207.33.33;
        Set_real_ip_from 127.0.0.1;
        Real_ip_header  x-forwarded-for;
        Real_ip_recursive on;
        Fastcgi_pass Unix:/var/run/phpfpm.sock;
        Fastcgi_index index.php;
        Include fastcgi.conf;
    }
  }

getrealip.php Content

  <?php
    $ip = $_server[' remote_addr '];
    echo $ip;  
  ? >

To access www.jb51.net/getRealip.php, return:

  120.22.11.11

If the annotation real_ip_recursive on or real_ip_recursive off
To access www.jb51.net/getRealip.php, return:

121.207.33.33

Unfortunately, getting the ip,real_ip_recursive effect of the relay is clear.
Set_real_ip_from: The IP address or IP segment of the proxy on the real server, you can write multiple lines
Real_ip_header: Retrieve the IP address from which header header
Real_ip_recursive: Recursively excludes IP address, IP string from right to left to exclude Set_real_ip_from IP, if there is no IP segment, then this IP will be considered the user's IP. For example, my example here, the real server gets the IP address string as follows:

120.22.11.11,61.22.22.22,121.207.33.33,192.168.50.121

In the case of real_ip_recursive on
61.22.22.22,121.207.33.33,192.168.50.121 all appear in Set_real_ip_from, only 120.22.11.11 does not appear, then he is considered the user's IP address, and assigned to Remote_ Addr variable
In the case of real_ip_recursive off or not set
192.168.50.121 appears in the Set_real_ip_from, excludes, the next IP address is considered the user's IP address
If only the following configuration:

  Set_real_ip_from  192.168.50.0/24;
  Set_real_ip_from 127.0.0.1;
  Real_ip_header  x-forwarded-for;
  Real_ip_recursive on;

The results of the visit are as follows:

  121.207.33.33

4, three kinds of users in CDN environment to obtain User IP method summary
4.1 CDN Custom Header Header
advantages: Get to the most real user IP address, the user is absolutely impossible to disguise IP
Disadvantages: CDN Vendors are required to provide
4.2 Get Forwarded-for Head
benefits: Can get to the user's IP address
Disadvantages: The program needs to change, and the user IP may be disguised
4.3 using Realip to obtain
Advantages: The program does not need to change, direct use of REMOTE_ADDR can get IP address
Disadvantage: IP address may be disguised, and need to know all the CDN node IP address or IP segment