Nginx+tomcat cluster configuration (3)---Get real client IP

Objective:
In the initial build of the Nginx+tomcat service cluster, it was found that the client IP that webserver acquired was the same, which is the machine IP of the nginx that serves as the reverse proxy service. This is not very much in line with our basic needs, and it brings trouble for future data mining and analysis.
But don't worry, this article will briefly explain the reasons behind it and the rationale, as well as the specific solution, ^_^.

Cause Analysis:
Webserver when acquiring client IPs, the default way is through REQUEST.GETREMOTEADDR (), which is essentially obtained from a direct-attached socket.
Therefore, the client directly connects to the Web server server, and the acquired IP is the real client IP address information. However, if the proxy, the direct-attached IP will be replaced by the proxy server's IP.
　　
Through the comparison in the diagram, we can clearly observe that in reverse proxy mode, the client socket has been replaced by the nginx socket. If you still get the client IP by default, it will lose meaning.

Solution Ideas:
Nginx is a 7-tier agent, not the 4-tier LVS agent, it is not possible to tamper with the TCP/IP layer. can only be HTTP/HTTPS in this application layer protocol.
In fact, its solution is based on a contractual scheme that requires the cooperation of all parties to complete and implement .
Nginx's strategy is: to the HTTP/HTTPS request, add additional header information, in order to complete the real client IP information delivery.
　　

Nginx Configuration:
Let's introduce some internal variable definitions in Nginx.

$host $remote_addr #来自对端socket的ip地址 $remote _port #来自对端socket的port信息 $proxy _add_x_forwarded_for #http/ IP of all agents that HTTPS requests flow through

For more detailed nginx internal variables, see "nginx rewrite parameters and examples".
In Nginx configuration, the following items need to be added under the Location tab :

Proxy_set_header Host $host;p roxy_set_header x-real-ip $remote _addr;proxy_set_header x-forwarded-for $proxy _add_x_ Forwarded_for;

For X-real-ip, it is certainly easy to accept and understand. But for x-forwarded-for, we must have some doubts, this is what ghost, specifically what use?
• x-forwarded-for

Referred to as the XFF header, which represents the client, that is, the HTTP request-side real IP, only when the HTTP proxy or load-balanced server is added. It is not a standard request header information as defined in the RfC and can be found in the Squid cache proxy Server development documentation for a detailed description of the item. The standard format is as follows: X-forwarded-for:client1, Proxy1, Proxy2, ... From the standard format can be seen, x-forwarded-for header information can have multiple, the middle with a comma separated, the first is the real client IP, the rest is once passed the proxy or load balanced IP address, after a few will appear.

From the definition of light, x-forward-for just records the link from the proxy server through which the client is flowing, as if it didn't work. Get the real IP, by getting the set X-real-ip.
In general, it seems to be possible, because you are ignoring, your Web schema, Nginx proxy only one layer. When there is a multi-tier proxy server in the Web schema, using X-REAL-IP loses the real client IP, and x-forward-for still retains the real client IP for you, which is why the backend web The server obtains the client IP from the x-forward-for, rather than the essential reason obtained from the x-real-ip.
　　

Tomcat configuration:
In the Server.xml configuration, the input format and content for the log defaults to:

<!--Access log processes all example. Documentation at:/docs/config/valve.html note:the pattern used are equivalent to using pattern= "common"--><valv E classname= "Org.apache.catalina.valves.AccessLogValve" directory= "Logs" prefix= "Localhost_access_log" suffix= ". TXT "pattern="%h%l%u%t &quot;%r&quot; %s%b "/>

Note: Format pattern= "%h%l%u%t "%r" %s%b ", default equivalent to pattern=" common "

The output sample results are:

127.0.0.1--[17/feb/2016:16:30:39 +0800] "get/http/1.1" 200 52

To output the client's actual IP that is passed by the front-end nginx, you need to change the format to the following:

pattern= "%{x-forwarded-for}i%l%u%t "%r" %s%b "

This will enable Tomcat to take advantage of the newly injected header and output the real client IP to the log.

WebApp's Modification:
In WebApp, the acquisition of IP can be modified as follows:

HttpServletRequest request = ...; String IP = request.getheader ("X-forwarded-for");

To replace:

HttpServletRequest request = ...; String IP = request.getremoteaddr ();

In conjunction with the use of log4j, the MDC/NDC can be used to write IP addresses:
The Java code is as follows:

HttpServletRequest request = ...; String IP = request.getheader ("X-forwarded-for"); Mdc.put ("IP", IP);

The configuration of the log4j is as follows:

LOG4J.APPENDER.CONSOLE.LAYOUT.CONVERSIONPATTERN=[%X{IP}]-[%c]-[%p]%m%n

　　Note the [%x{ip}] customization.
Refer to the Post "log4j get IP Display in log".

Summarize:
There is a lot of information on the Internet for this issue. Repeat this side, one side of the summary, one side also feel that some gains. Right when learning notes.

Public Number & Games sites:
Personal public Number: Wooden purpose H5 game world
　　
Personal Game Folio site (still under construction ...): www.mmxfgame.com, also direct IP access : http://120.26.221.54/.

Nginx+tomcat cluster configuration (3)---Get real client IP