Nginx reverse proxy to back-end tomcat and send IP address to backend configuration

Nginx reverses the proxy to the backend and sends the IP address to the back-end tomcat.

Suppose our website is called demo.demo.com

The front-end nginx configuration is as follows:

/usr/local/nginx/conf/nginx.conf Add the following 4 lines to the HTTP segment:

    proxy_set_header X-Forwarded-For $remote_addr;     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;     proxy_set_header Host $host;     proxy_redirect off; 




The

/usr/local/nginx/conf/vhost/demo.demo.com is configured as follows:

server {    listen 80;    server_name   demo.demo.com;    access_log  /home/wwwlogs/demo.test.access.log;     error_log   /home/wwwlogs/demo.test.error.log;    root    html;    index  index.html index.htm index.php;     ## send request back to apache ##     location / {        proxy_pass  http:// 172.16.10.12:8080;         #Proxy  Settings         proxy_redirect     off;         proxy_set_header   Host               $host;         proxy_set_header   x-real-ip          $remote _addr;        proxy_set_header    x-forwarded-for   $proxy _add_x_forwarded_for;        proxy_ Next_upstream error timeout invalid_header http_500 http_502 http_503 http_ 504;        proxy_max_temp_file_size 0;         proxy_connect_timeout      90;         proxy_send_timeout         90;         proxy_read_timeout          90;        proxy_buffer_size           4k;        proxy_buffers               4 32k;        proxy_busy_buffers_ Size    64k;        proxy_temp_file_write_size  64k;           }}

The back-end tomcat configuration is as follows:

Modify the Server.xml of Tomcat and modify the code in the Red section.

<valve classname= "Org.apache.catalina.valves.AccessLogValve" directory= "Logs"

prefix= "Localhost_access_log" suffix= ". txt"

pattern= "%{x-forwarded-for}i %l%u%t%r%s%b%d%q%{user-agent}i%t" resolvehosts= "false"/>

<context path= "/" docbase= "/home/website/web/mobile" ></Context>

</Host>

Specify the above nginx.conf related parameters:

First look at the definition of x-forwarded-for:
x-forwarded-for: referred to as XFF header, which represents the client, that is, the HTTP request-side of the real IP, only when the HTTP proxy or load-balanced server is added. It is not a standard request header information as defined in the RfC and can be found in the Squid cache proxy Server development documentation for a detailed description of the item.
The standard format is as follows:
X-forwarded-for:client1, Proxy1, Proxy2
as can be seen from the standard format, X-forwarded-for Header information can have multiple, separated by commas in the middle, the first is the real client IP, the rest is once passed the proxy or load balanced IP address, after a few will appear.

It is easy to see that when a user requests a CDN to reach the Nginx load Balancer Server, its x-forwarded-for header information should be the client IP,CDN IP But the reality is not so , in general, CDN service providers for their own security considerations will make some changes to this information, only the client IP. We can use the program to obtain x-forwarded-for information or through the Nginx Add header method to set the return header to view.

The following analysis of the request header to the Nginx load Balancer server, by default, Nginx does not do any processing of the x-forwarded-for header, unless the user uses the Proxy_set_header parameter settings:
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;

$proxy The _add_x_forwarded_for variable contains "x-forwarded-for" in the client request header, separated from the $remote_addr with a comma, if there is no "x-forwarded-for" request header, the $proxy _add_x_forwarded_for equals $remote_addr.

$remote The value of the _ADDR variable is the IP of the client

There are two things that happen when Nginx sets X-forwarded-for equals $proxy_add_x_forwarded_for

1, if the request from the CDN does not set the X-forwarded-for header (usually this kind of thing will not happen), and to our here Nginx settings set it to $proxy_add_x_forwarded_for, X-forwarded-for information should be the IP of the CDN, because the client is a CDN relative to the Nginx load balancer, so the backend Web program will not be able to get the real user's IP.

2, the CDN set up the X-forwarded-for, we set up here again, and the value is $proxy_add_x_forwarded_for, then x-forwarded-for content becomes " client IP, Nginx Load Balancer Server IP"If this is the case, then the backend program through the x-forwarded-for to obtain the client IP, the comma separated by the first item can be."

As stated in the last two points, if we know that the CDN set up x-forwarded-for information, and only the client real IP, then our nginx load Balancer server can ignore the header, let it default.

In fact, Nginx also has a $http _x_forwarded_for variable, the contents of this variable is the X-FORWARDED-FOR information in the request. If the backend obtains x-forwarded-for information program compatibility is not good (does not take into account x-forwarded-for contains multiple IP cases), it is best not to set X-forwarded-for to $proxy _add_x_ Forwarded_for. Should be set to $http _x_forwarded_for or simply not set!

Nginx reverse proxy to back-end tomcat and send IP address to backend configuration