: This article mainly introduces how to obtain the user IP address on Nginx on the second layer of the two-tier server. if you are interested in the PHP Tutorial, refer to it. How to obtain the user IP address on the second layer Nginx of a two-tier server
I. I encountered a problem when configuring the nginx server. in the past, the server used a function to limit the maximum concurrent connections of the client. In addition, this function is implemented on the server.
$remote-addr
This configuration is achieved. However, after a front-end layer (load, CDN, firewall, and security service) server is added, the client IP address obtained is changed to the IP address of the front-end server, instead of the real user IP address.
II. in this case, I have read the nginx official website several times again and found another important variable.
$proxy_add_x_forwarded_for
This variable is the value of the X-forwarded-for field in the client access request. if this field is not included in the request, automatic use of this variable will be equivalent to the remote-addr variable. This allows us to obtain the field of the client's real IP address saved by the front-end server in an HTTP request, which is usually the X_FORWARDED_FOR field we are talking about, we can implement various functions.
3. let me give you a simple demonstration. Many shortcomings. please correct me.
First, build the Nginx environment. here we use the latest version 1.7.9 of the 1.7 series as an example. (For more information about the version, see FAQ 1)
Download, WGET address http://nginx.org/download/nginx-1.7.9.tar.gz
1. download Nginx
[Lugt @ localhostmysql] $ wget http://nginx.org/download/nginx-1.7.9.tar.gz
2. extract
[Lugt @ localhostmysql] $ tar zxvf nginx-1.7.9.tar.gz
3. compile directly (whether openssl and other plug-ins are required)
[Lugt @ localhost mysql] $ cd nginx-1.7.9
[Lugt @ localhost nginx-1.7.9] $./configure
[Lugt @ localhost nginx-1.7.9] $ make
[Lugt @ localhost nginx-1.7.9] $ su
[Lugt@localhostnginx-1.7.9] $ make install
4. modify the nginx. conf configuration file.
[Lugt @ localhost nginx-1.7.9] $ su
[Lugt @ localhost nginx-1.7.9] $ cd/usr/local/nginx
[Lugt @ localhostnginx] $ vi conf/nginx. conf
Find this in nginx. conf and add it to set load balancing to simulate CDN
Upstream dnsnginx1 {server [*. *. *. */yourhostname]: 8080 weight = 10000; # fill in IP address, domain name} server {listen 80; server_name # access_log logs/host. access. log main location/{proxy_pass http: // dnsnginx1; proxy_set_header Host $ host; using X-Real-IP $ remote_addr; using X-Forwarded-For $ scheme; proxy_set_header starting $ remote_addr; proxy_redirect default ;}}
Set a virtual server on port 8080,
Limit_conn_zone $ proxy_add_x_forwarded_for zone = addr: 10 m; # concurrent setting space 10 Mserver {listen 8080; server_name [*. *. *. */yourhostname]: 8080 weight = 10000; # fill in the IP address and domain name limit_conn addr 1; # limit the maximum number of concurrent connections on the client to 1 location/{root html; index index.html index.htm ;}}
Save. Test the configuration file syntax.
[Lugt @ localhostnginx] $./sbin/nginx-t
Start the server
[Lugt @ localhostnginx] $./sbin/nginx
4. use the AB tool to view the effect.
[Lugt @ localhost nginx] $ AB-c 10-n 100-v 4 http: // 127.0.0.1/| grep HTTP/1.1
The address accessed through the AB test tool. the number of concurrent connections is 30, and the total number of tests is 300. The HTTP return header information is displayed.
The AB tool can be used to determine the maximum number of concurrent connections sent at the same time, and only the maximum number of concurrent connections previously limited by nginx is returned successfully. Therefore, it can be proved that the IP address restriction function is ready for use. For more information, see FAQ2.
FAQ 1
If the current Nginx version is not 1.7.1, nginx may not support this function,
In this case, you need to get the x_forwarded_for value from the request by using a piece of code in the limit_conn_handler function.
Take Version 1.6.1 as an example. add the following code. Src/http/modules/ngx_http_limit_conn.c row 184th
hash =ngx_crc32_short(key.data, key.len); If(“” == &ctx->key){ If(NULL!= r->main->headers_in->x_forwarded_for->elts){ key.data= *(char*)r->main->headers_in->x_forwarded_for->elts; key.len = 4; hash =ngx_crc32_short(key.data, key.len); } }
FAQ 2 reference data
Here is a reference data to obtain
[Lugt @ localhost ~] $ AB-c 10-n 100-v 4 http: // 127.0.0.1/| grep HTTP/1.1
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1 200 OK
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1 200 OK
<... Repeated appears repeatedly for eight times.
English Version
How to retrievethe true ip of the client user if there are two layers of servers
Days before, wehave been faced such a difficulty which is we can't use the variable$ Remote_addrFor gathering the clients 'IP address. this problem surfaces when we used a proxy server between the trueserver and client, which is actually a cdn. and that makes our functions oflimiting the maximum connections a client can make to a server at a time. thissituation can also found if the load balance or any anti-spam service are inuse. so that's why we can't use remote_addr variable further.
After I did someresearch on the documentation and the code, I found out that this problem canbe solved by replacing
$remote_addr
Variable with
$proxy_add_x_forwarded_for
Variable. As this variable allows to retrievethe data from the column X_forwarded_for from the request, we can use thisvariable functioning in different ways.
And now I shall makean easy example to practically use this method.
First of all, build up a Nginx server.
Here, I will usethe 1.7.9 version (latest to the written time) for instance, therefore, thereexist some differences between older versions than 1.7.1 (see FAQ 1)
1. Download A Nginx Copy:
[Lugt @ localhostmysql] $ wget http://nginx.org/download/nginx-1.7.9.tar.gz
2. Decompress the file
[Lugt @ localhostmysql] $ tar zxvf nginx-1.7.9.tar.gz
3. Compile The Code
[Lugt @ localhostmysql] $ cd nginx-1.7.9
[Lugt@localhostnginx-1.7.9] $./configure
[Lugt@localhostnginx-1.7.9] $ make
[Lugt@localhostnginx-1.7.9] $ su
[Lugt@localhostnginx-1.7.9] $ make install
4. And edit the config file nginx. conf
[Lugt @ localhost nginx-1.7.9] $ su
[Lugt@localhostnginx-1.7.9] $ cd/usr/local/nginx
[Lugt @ localhostnginx] $ vi conf/nginx. conf
There add suchdireves VES to the server1 for emulate for an CDN server
upstream dnsnginx1 { server[*.*.*.*/yourhostname]:8080 weight=1000; #fill in your ip/hostname}server { listen 80; server_name [hostname] #fill your ip/ hostname here#access_log logs/host.access.log main location /{ proxy_pass http://dnsnginx1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr; proxy_redirect default;}}
After the end ofone server directive, and in the http direve VE, add so to function the sever2
limit_conn_zone $proxy_add_x_forwarded_for zone=addr:10m; # sample settingserver { listen 8080; server_name [*.*.*.*/hostname]:8080 weight=10000; #fill in ip/hostname here limit_conn addr 1; # Enablethe limitation of connection per ip at a time to 1. location / { root html; index index.html index.htm; }}
And then you cansave, test the config file and run nginx
Test your configfile:
[Lugt @ localhostnginx] $./sbin/nginx-t
Start the nginx server
[Lugt @ localhostnginx] $./sbin/nginx
Now, the serverhas been set and you can run a test at instance.
/* This CommandMeans to run a tool to connect to server as 10 conn/once and 10 conns in total */
[Lugt @ localhost ~] $ AB-c 10-n 100-v 4 http: // 127.0.0.1/| grep HTTP/1.1
FAQ 1
There is actuallysome little malfunctions when using elder versions than 1.7.1 (Probably the newversion has it for a new feature). So to use this directive in earlier versions, some code need to be added.
As a Example inthe version 1.6.1
In filesrc/http/modules/ngx_http_limit_conn.c Line around und 184
hash =ngx_crc32_short(key.data, key.len); If("" == &ctx->key){ If(NULL!= r->main->headers_in->x_forwarded_for->elts){ key.data= *(char*)r->main->headers_in->x_forwarded_for->elts; key.len = 4; hash =ngx_crc32_short(key.data, key.len); }
}
FAQ 2 TestingResults
[Lugt @ localhost ~] $ AB-c 10-n 100-v 4 http: // 127.0.0.1/| grep HTTP/1.1
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1 200 OK
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1503 Service Temporarily Unavailable
HTTP/1.1 200 OK
<... Repeated as 8 times of HTTP/503 and 1 time of HTTP/200 and so on>
The above describes how to obtain the user IP address on Nginx on the second layer of the two-tier server, including some content, and hope to help those who are interested in the PHP Tutorial.