Nginx prevents the user agent and nginx from obtaining the real IP address of the user

Source: Internet
Author: User
Tags nginx reverse proxy

Nginx blocks user proxies

Sometimes, you need to prevent some user proxies from accessing the website, such as AB, wget, and curl. This requires the $ http_user_agent variable.

Modify nginx. conf

If ($ http_user_agent ~ * (Wget | AB )){
Return 403;
}
 
If ($ http_user_agent ~ * LWP: Simple | BBBike | wget ){
Return 403;
}

Restart nginx

#/Usr/local/nginx-1.7.0/sbin/nginx-s reload



Obtain the real IP address of a user through nginx under CDN

With the rapid rise of nginx, more and more companies are switching apache to nginx. at the same time, more and more people are using nginx as server load balancer, and CDN acceleration may be added before the proxy, but there is also a problem: how does nginx obtain the real IP address of the user.

Instance environment:
User IP address 120.22.11.11
CDN frontend 61.22.22.22
CDN transfer 121.207.33.33
Company NGINX front-end proxy 192.168.50.121 (Internet 121.207.231.22)

1. Use the CDN custom IP header to obtain

If your CDN Vendor uses nginx, assign $ remote_addr to the specified header on nginx. The method is as follows:
Proxy_set_header remote-user-ip $ remote_addr;

// As shown above, the backend will receive the http header of remote_user_ip. Some people may pick up the error and say that the header I set is not remote-user-ip. How can I write it as remote_user_ip, is the author wrong. please refer to the article: <The nginx Reverse proxy proxy_set_header custom header is invalid>

Backend PHP code getRemoteUserIP. php
<? Php
$ Ip = getenv ("HTTP_REMOTE_USER_IP ");
Echo $ ip;
?>

Access getRemoteUserIP. php. The result is as follows:
120.22.11.11 // Get the real user IP address. If CDN can define this header, this method is the best.

2. Get the IP address through HTTP_X_FORWARDED_FOR

Generally, the CDN server sends the HTTP_X_FORWARDED_FOR header, which is an ip string. The real backend server obtains the HTTP_X_FORWARDED_FOR header and intercepts the first unkown IP address of the string as the real ip address of the user. For example:

120.22.11.11, 61.22.22.22, 121.207.33.33, 192.168.50.121 (user IP, CDN front-end IP, CDN transit, company NGINX proxy)

GetFor. php
<? Php
$ Ip = getenv ("HTTP_X_FORWARDED_FOR ");
Echo $ ip;
?>

The getFor. php access result is as follows:
120.22.11.11, 61.22.22.22, 121.207.33.33, 192.168.50.121

If you are a php programmer, you get the first IP address not unknow. Here is 120.22.11.11.

3. Use the nginx built-in module realip to obtain the user IP address


Add the realip module when installing nginx. My parameters are as follows:
./Configure -- prefix =/usr/local/nginx-1.4.1 -- with-http_realip_module

Nginx configuration of real servers
Server {
Listen 80;
Server_name www.ttlsa.com;
Access_log/data/logs/nginx/www.ttlsa.com. access. log main;
 
Index. php index.html;
Root/data/site/www.ttlsa.com;
 
Location/
    {
Root/data/site/www.ttlsa.com;
    }
Location =/getRealip. php
    {
Set_real_ip_from 192.168.50.0/24;
Set_real_ip_from 61.22.22.22;
Set_real_ip_from 121.207.33.33;
Set_real_ip_from 127.0.0.1;
Real_ip_header X-Forwarded-;
Real_ip_recursive on;
Fastcgi_pass unix:/var/run/phpfpm. sock;
Fastcgi_index index. php;
Include fastcgi. conf;
    }
}

GetRealip. php content

<? Php
$ Ip = $ _ SERVER ['remote _ ADDR '];
Echo $ ip;
?>

Access www.ttlsa.com/getrealip.php and return:
120.22.11.11

If you comment out real_ip_recursive on or real_ip_recursive off
Access www.ttlsa.com/getrealip.php and return:
121.207.33.33

Unfortunately, the IP address of the relay is obtained. The real_ip_recursive effect is clear.

Set_real_ip_from: IP address or IP address segment of the proxy on the real server. Multiple lines can be written.
Real_ip_header: the header from which the IP address is retrieved
Real_ip_recursive: recursive exclusion of ip addresses. IP addresses in set_real_ip_from are excluded from the right-to-left List. If no ip addresses in these IP segments appear, this IP address is considered the user's IP address. For example, in my example, the IP address string obtained by the real server is as follows:
120.22.11.11, 61.22.22.22, 121.207.33.33, 192.168.50.121
In the case of real_ip_recursive on
61.22.22.22, 121.207.33.33, 192.168.50.121 all appear in set_real_ip_from. If only 120.22.11.11 does not appear, it is considered as the user's IP address and assigned the remote_addr variable

When real_ip_recursive off or not set
192.168.50.121 appears in set_real_ip_from. If it is excluded, the next IP address is the user's IP address.

If the configuration is as follows:
Set_real_ip_from 192.168.50.0/24;
Set_real_ip_from 127.0.0.1;
Real_ip_header X-Forwarded-;
Real_ip_recursive on;

The access result is as follows:
121.207.33.33

4. Summary of three methods for obtaining user IP addresses in CDN

4.1 CDN custom header
Advantage: obtaining the most authentic user IP address is impossible for users to disguise IP addresses.
Disadvantage: CDN vendors are required to provide

4.2 obtain the forwarded-for header
Advantage: The user's IP address can be obtained.
Disadvantage: the program needs to be modified, and the user's IP address may be disguised.

4.3 obtain from realip
Advantage: you can directly use remote_addr to obtain the IP address without modifying the program.
Disadvantage: ip addresses may be disguised and you need to know the ip addresses or ip segments of all CDN nodes.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.