问题现象
网站业务架构为:
高防->WAF->slb 7层->ECS
Nginx在ECS上获取真实的客户端IP地址,配置不生效。
测试环境
高防IP为:118.xxx.xxx.204
WAF的Cname为:9qlliqgcxxxxxu0z.aliyunwaf.com 120.xxx.xxx.174
测试的域名为:there.pier39.cn
负载均衡的IP为: 119.xxx.xxx.162
ECS的IP为:120.xxx.xxx.201
[root
@xx
nginx]# uname -a
Linux iZ94ypgtdryZ
3.10
.
0
-
327.22
.
2
.el7.x86_64 #
1
SMP Thu Jun
23
17
:
05
:
11
UTC
2016
x86_64 x86_64 x86_64 GNU/Linux
[root
@iZ94ypgtdryZ
nginx]# lsb_release -a
LSB Version: :core-
4.1
-amd64:core-
4.1
-noarch
Distributor ID: CentOS
Description: CentOS Linux release
7.2
.
1511
(Core)
Release:
7.2
.
1511
Codename: Core
[root
@xx
nginx]#
[root
@iZ94ypgtdryZ
nginx]# nginx -V
nginx version: nginx/
1.10
.
2
built by gcc
4.8
.
5
20150623
(Red Hat
4.8
.
5
-
4
) (GCC)
built with OpenSSL
1.0
.1e-fips
11
Feb
2013
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt=
'-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'
--with-ld-opt=
'-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
|
配置方式:logformat方法
1、高防、WAF、负载均衡相关的配置在此省略
2、Nginx主配置文件
/etc/nginx/nginx.conf
核心配置内容:
log_format there.pier39.cn
'$remote_addr - $remote_user [$time_local] $request'
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
;
access_log /var/log/nginx/there.pier39.cn there.pier39.cn;
|
在log_format中加入了*$http_x_forwarded_for*
具体以上内容所在的位置,请特别注意,可以到下方完整的配置中寻找。
整体的配置内容如下:
[root
@iZ94ypgtdryZ
nginx]# cat nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http:
//nginx.org/en/docs/
# * Official Russian Documentation: http:
//nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections
1024
;
}
http {
log_format main
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent"'
;
access_log /var/log/nginx/access.log main;
log_format there.pier39.cn
'$remote_addr - $remote_user [$time_local] $request'
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
;
access_log /var/log/nginx/there.pier39.cn there.pier39.cn;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout
65
;
types_hash_max_size
2048
;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http:
//nginx.org/en/docs/ngx_core_module.html#include
#
for
more information.
include /etc/nginx/conf.d/*.conf;
server {
listen
80
default_server;
listen [::]:
80
default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files
for
the
default
server block.
include /etc/nginx/
default
.d/*.conf;
location / {
}
error_page
404
/
404
.html;
location = /40x.html {
}
error_page
500
502
503
504
/50x.html;
location = /50x.html {
}
}
# Settings
for
a TLS enabled server.
#
# server {
# listen
443
ssl http2 default_server;
# listen [::]:
443
ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate
"/etc/pki/nginx/server.crt"
;
# ssl_certificate_key
"/etc/pki/nginx/private/server.key"
;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files
for
the
default
server block.
# include /etc/nginx/
default
.d/*.conf;
#
# location / {
# }
#
# error_page
404
/
404
.html;
# location = /40x.html {
# }
#
# error_page
500
502
503
504
/50x.html;
# location = /50x.html {
# }
# }
}
|
3、VirtualHost配置文件
/etc/nginx/conf.d/there.pier39.cn.conf
server {
listen
80
;
server_name there.pier39.cn;
index index.html index.htm index.php;
root /var/www/html;
}
|
4、配置完成后
A、使用nginx检查配置文件是否正确。
B、重启nginx服务(Restart)
[root
@iZ94ypgtdryZ
nginx]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root
@iZ94ypgtdryZ
nginx]# service nginx restart
Redirecting to /bin/systemctl restart nginx.service
[root
@iZ94ypgtdryZ
nginx]#
|
5、测试
A、未配置前的
[root
@iZ94ypgtdryZ
nginx]# tailf there.pier39.cn | grep -v HEAD
100.97
.
15.216
- - [
22
/Feb/
2017
:
14
:
52
:
30
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
100.97
.
15.1
- - [
22
/Feb/
2017
:
14
:
52
:
48
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
100.97
.
15.187
- - [
22
/Feb/
2017
:
14
:
52
:
49
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
100.97
.
15.59
- - [
22
/Feb/
2017
:
14
:
52
:
49
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
100.97
.
15.214
- - [
22
/Feb/
2017
:
14
:
52
:
49
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
100.97
.
15.14
- - [
22
/Feb/
2017
:
14
:
52
:
50
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
|
B、配置后的
100.97
.
15.181
- - [
22
/Feb/
2017
:
15
:
05
:
51
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
"42.xxx.xx.201, 120.xx.xx.15, 120.xx.xx.232"
100.97
.
15.6
- - [
22
/Feb/
2017
:
15
:
05
:
53
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
"42.xxx.xx.201, 120.xx.xx.15, 120.xx.xx.225"
100.97
.
15.189
- - [
22
/Feb/
2017
:
15
:
05
:
54
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
"42.xx.xx.201, 120.xx.xx.15, 120.xx.xx.4"
100.97
.
15.50
- - [
22
/Feb/
2017
:
15
:
05
:
54
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
"42.xxx.xxx.201, 120.xx.xx.15, 120.xx.xx.4"
100.97
.
15.11
- - [
22
/Feb/
2017
:
15
:
05
:
54
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
"42.xxx..201, 120.xx.xx.15, 120.xx.xx.4"
|
真实的IP地址在日志的最尾部,符合log_format配置的格式
配置方式:realip方法
注:用nginx -V检查是否安装过realip模块,如果没有安装需要安装。
1、Nginx主配置文件
/etc/nginx/nginx.conf
核心内容:
log_format there.pier39.cn
'$remote_addr - $remote_user [$time_local] $request'
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" '
;
access_log /var/log/nginx/there.pier39.cn there.pier39.cn;
|
具体以上内容所在的位置,请特别注意,可以到下方完整的配置中寻找。
全部配置文件
[root
@iZ94ypgtdryZ
nginx]# cat nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http:
//nginx.org/en/docs/
# * Official Russian Documentation: http:
//nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections
1024
;
}
http {
log_format main
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent"'
;
access_log /var/log/nginx/access.log main;
log_format there.pier39.cn
'$remote_addr - $remote_user [$time_local] $request'
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" '
;
access_log /var/log/nginx/there.pier39.cn there.pier39.cn;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout
65
;
types_hash_max_size
2048
;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http:
//nginx.org/en/docs/ngx_core_module.html#include
#
for
more information.
include /etc/nginx/conf.d/*.conf;
server {
listen
80
default_server;
listen [::]:
80
default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files
for
the
default
server block.
include /etc/nginx/
default
.d/*.conf;
location / {
}
error_page
404
/
404
.html;
location = /40x.html {
}
error_page
500
502
503
504
/50x.html;
location = /50x.html {
}
}
# Settings
for
a TLS enabled server.
#
# server {
# listen
443
ssl http2 default_server;
# listen [::]:
443
ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate
"/etc/pki/nginx/server.crt"
;
# ssl_certificate_key
"/etc/pki/nginx/private/server.key"
;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files
for
the
default
server block.
# include /etc/nginx/
default
.d/*.conf;
#
# location / {
# }
#
# error_page
404
/
404
.html;
# location = /40x.html {
# }
#
# error_page
500
502
503
504
/50x.html;
# location = /50x.html {
# }
# }
}
|
2、VirtualHost配置文件
在该文件中加入了location的内容,请务必注意;
server {
listen
80
;
server_name there.pier39.cn;
index index.html index.htm index.php;
root /var/www/html;
location / {
set_real_ip_from
0.0
.
0.0
/
0
;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
}
|
3、配置完成后
A、使用nginx检查配置文件是否正确。
B、重启nginx服务(Restart)
4、测试
1、配置前
[root
@xxx
nginx]# tailf there.pier39.cn | grep -v HEAD
100.97
.
15.4
- - [
22
/Feb/
2017
:
15
:
54
:
40
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
100.97
.
15.180
- - [
22
/Feb/
2017
:
15
:
54
:
42
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
100.97
.
15.210
- - [
22
/Feb/
2017
:
15
:
54
:
45
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
100.97
.
15.2
- - [
22
/Feb/
2017
:
15
:
54
:
45
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
|
2、配置后
[root
@xxx
nginx]# tailf there.pier39.cn | grep -v HEAD
42.xxx.xx
.201
- - [
22
/Feb/
2017
:
16
:
18
:
50
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
42.xx
.xx
.201
- - [
22
/Feb/
2017
:
16
:
18
:
50
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
42.xxx
.xx
.201
- - [
22
/Feb/
2017
:
16
:
18
:
50
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
42.xxx
.xx
.201
- - [
22
/Feb/
2017
:
16
:
18
:
50
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
42.xxx
.xx
.201
- - [
22
/Feb/
2017
:
16
:
18
:
51
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
|
总结
1、这里介绍了2中配置获取xff的方法,2种配置的差别,可以很明显的在最终测试的日志中对比出来。
logformat:
100.97
.
15.11
- - [
22
/Feb/
2017
:
15
:
05
:
54
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
"42.xxx.xx.201, 120.xx.xx.15, 120.xx.xx.4"
|
realip:
42.xx.xx
.201
- - [
22
/Feb/
2017
:
16
:
18
:
51
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
|
2种方式都可以获取真实IP地址,但是在日志中显示的方式不一样。
当然,也可以2种方式都配置。方法,自行脑补。
42.xx.xx
.201
- - [
22
/Feb/
2017
:
16
:
22
:
42
+
0800
] GET /ddd HTTP/
1.0404
571
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
"42.xx.xx201, 120.xx.xxx.16, 120.xx.xx.231"
|
2、2种取一种即可,根据实际情况选择。
3、该方法,可用于高防->WAF->slb 7层->ECS 上述链路的使用,当然如果只有负载均衡也是可以的。在链路中再加入CDN也能够正常获取到。此方法的原理为获取通信报文中的X-Forwarded-For字段进行解析
附录
1、X-Forwarded-For简介
X-Forwarded-For:简称XFF头,它代表代表客户端,也就是HTTP的请求端真实的IP,只有在通过了HTTP 代理或者负载均衡服务器时才会添加该项。它不是RFC中定义的标准请求头信息,在squid缓存代理服务器开发文档中可以找到该项的详细介绍。
标准格式如下:X-Forwarded-For: client1, proxy1, proxy2。
2、X-Forwarded-For在http报文中的体现(Web Server上抓包)
