nginx服务器看到自己的ip而不是反向代理ip

时间:2015-11-06 01:20:44

标签: nginx reverse-proxy

我有两个服务器,一个是应用服务器,另一个是反向代理。

用户 - >代理服务器 - >应用服务器

当用户来自代理服务器时,我会检查ip,如果ip来自代理服务器,则用户自动登录。

代理服务器配置

server {
    ...
    location / { 
        include  /etc/nginx/mime.types;
        proxy_pass http://app.server.com;
    }   
}

app server config 

server {
    ...
    # rewrite request
    rewrite ^/request/(.*)$ /request.php?uri=$uri last;

    location @rewrite {
        rewrite ^(.+)$ /index.php?_url=$1;
    }

    location ~ \.php$ {
        fastcgi_buffer_size        128k;
        fastcgi_buffers            256 16k;
        fastcgi_busy_buffers_size  256k;

        include fastcgi_params;
        fastcgi_pass    backend;
        fastcgi_index   index.php;
        fastcgi_split_path_info       ^(.+\.php)(/.+)$;
        fastcgi_param PATH_INFO       $fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

基本上,对代理的所有请求都会传递到应用服务器。假设我的app server ip是5.6.7.8,而proxy ip是1.2.3.4。当我在chrome中打开代理服务器时,chrome调试工具在Header的General部分的Remote Address(1.2.3.4)中显示代理IP地址。但是,当我尝试从$ _SERVER [' REMOTE_ADDR']访问ip时,它会给出app server本身的ip addess(5.6.7.8)。

我已尝试过这些配置,但远程地址仍显示应用服务器的IP和X-Forwarded-For用于真正的客户端IP,这不是我想要的。

proxy_set_header HOST $host; <- this makes proxy server always responds with 404
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

如何从$ _SERVER [&#39; REMOTE_ADDR&#39;]或其他字段获取代理ip?

我的预建nginx没有模块,所以我自己建了一个。

nginx version: nginx/1.4.7
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04) 
TLS SNI support enabled
configure arguments: --prefix=/usr/local --sbin-path=/usr/local/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_sub_module

现在代理服务器配置看起来像

server {
    ...
    location / { 
        include  /etc/nginx/mime.types;
        set_real_ip_from 0.0.0.0/0;
        real_ip_header    X-Forwarded-For;
        real_ip_recursive on; 
        proxy_pass http://app.server.com;
    }   
}

但问题仍然存在,应用服务器仍然拥有自己的IP地址。

测试应用服务器上的real_ip_header配置

app server config 

sever {
    ...
    set_real_ip_from 0.0.0.0/0;
    real_ip_header    X-Forwarded-For;
    real_ip_recursive on; 

    # rewrite api 
    rewrite ^/api/(.*)$ /route.php?uri=$uri last;

    location @rewrite {

        rewrite ^(.+)$ /index.php?_url=$1;
    }   

    location ~ \.php$ {
        fastcgi_buffer_size        128k;
        fastcgi_buffers            256 16k;
        fastcgi_busy_buffers_size  256k;

        include fastcgi_params;
        fastcgi_pass    backend;
        fastcgi_index   index.php;
        fastcgi_split_path_info       ^(.+\.php)(/.+)$;
        fastcgi_param PATH_INFO       $fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    } 
}

代理服务器配置

server {
    listen       1000;
    server_name  my.proxy.com;

    charset      utf-8;

    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;

    location / {
        include  /etc/nginx/mime.types;
        proxy_pass http://app.server.com;
    }
}

问题仍然存在。

我的代理配置最终会这样,我从 X-Forwarded-For 现在获得代理服务器ip 

server {
    ...
    location / {
        include  /etc/nginx/mime.types;
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_pass http://app.server.com;
    }                                                                                                                                                                                                         
}

1 个答案:

答案 0 :(得分:2)

使用ngx_http_realip_module模块 - 它用于将客户端地址更改为在指定的标头字段中发送的地址。

示例:

# Set the client remote address to the one sent in the X_FORWARDED_FOR header from trusted addresses.
set_real_ip_from  192.168.1.0/24;
set_real_ip_from  192.168.2.1;
set_real_ip_from  2001:0db8::/32;
real_ip_header    X-Forwarded-For;
real_ip_recursive on;

来源:http://nginx.org/en/docs/http/ngx_http_realip_module.html

我认为您仍然想知道真实客户端的IP地址以及代理服务器的IP地址。

代理服务器

添加自定义标头; REVERSE-VIA包含代理服务器的地址。这允许应用服务器读取IP地址的REVERSE-VIA标头。

server {
    listen       1000;
    server_name  my.proxy.com;

    charset      utf-8;

    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;

    location / {
        include  /etc/nginx/mime.types;
        proxy_pass http://app.server.com;
        proxy_set_header  X-Real-IP         $remote_addr;
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header  REVERSE-VIA       $server_addr;
    }
}

应用服务器

server {
    ...
    set_real_ip_from 0.0.0.0/0;
    real_ip_header    X-Forwarded-For;
    real_ip_recursive on; 

    # rewrite api 
    rewrite ^/api/(.*)$ /route.php?uri=$uri last;

    location @rewrite {

        rewrite ^(.+)$ /index.php?_url=$1;
    }   

    location ~ \.php$ {
        fastcgi_buffer_size        128k;
        fastcgi_buffers            256 16k;
        fastcgi_busy_buffers_size  256k;

        include fastcgi_params;
        fastcgi_pass    backend;
        fastcgi_index   index.php;
        fastcgi_split_path_info       ^(.+\.php)(/.+)$;
        fastcgi_param PATH_INFO       $fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    } 
}
相关问题
最新问题