最近在研究nginx中如何获取真实客户端IP的方法。众所周知,在编译Nginx时,可通过添加http_realip_module模块来获取真实客户端IP地址。何为真实IP地址呢?请看下图,既获取到的真实客户端IP是101,既不是正向代理服的104,也不是反向代理的105。
我们以PHP为例来说明整个过程吧。
前期准备:
在/home/apps/realip.com/下新建index.php:
<?php
foreach($_SERVER as $k=>$v)
echo $k . '=' . $v . '<br />';
修改104, 105, 106的nginx.conf的log格式为:
log_format main 'remote_addr=$remote_addr:$remote_port, http_x_forwarded_for=$http_x_forwarded_for, proxy_add_x_forwarded_for=$proxy_add_x_forwarded_for ';
场景一(最简单的场景):
在106上的/etc/nginx/conf.d目录里,新建realip.com.conf,内容如下。
upstream realip {
server 127.0.0.1:9100;
}
server {
listen 80;
server_name realip.com;
access_log /var/log/nginx/realip.com.access.log main;
error_log /var/log/nginx/realip.com.error.log error;
location / {
root /home/apps/realip.com/;
index index.php;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ .php$ {
root /home/apps/realip.com/;
fastcgi_pass realip;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /.ht {
deny all;
}
}
同时修改fastcgi_params文件确保有以下两行:
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
在客户机101上做host:
192.168.1.106 realip.com
在客户机上打开浏览器访问http://realip.com,看到的结果是:
REMOTE_ADDR=192.168.1.101
HTTP_X_FORWARDED_FOR=192.168.1.101
106上的Nginx log是:
remote_addr=192.168.1.101:23350, http_x_forwarded_for=-, proxy_add_x_forwarded_for=192.168.1.101
结果描述:
- REMOTE_ADDR和HTTP_X_FORWARDED_FOR都是真实客户端IP地址101。
场景二(增加一台Nginx反向代理):
在105上的/etc/nginx/conf.d目录里,新建realip.com.conf,内容如下。
upstream realip {
#反向代理到106的80端口
server 192.168.1.106:80;
}
server {
listen 80;
server_name realip.com;
access_log /var/log/nginx/realip.com.access.log main;
error_log /var/log/nginx/realip.com.error.log error;
location / {
proxy_pass http://realip;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
include fastcgi_params;
}
}
同时修改fastcgi_params文件确保有以下一行:
fastcgi_param REMOTE_ADDR $remote_addr;
在客户机101上修改host:
192.168.1.105 realip.com
在客户机上打开浏览器访问http://realip.com,看到的结果是:
REMOTE_ADDR=192.168.1.105
HTTP_X_FORWARDED_FOR=192.168.1.101, 192.168.1.105
HTTP_X_REAL_IP=192.168.1.101
106上的Nginx log是:
remote_addr=192.168.1.105:34686, http_x_forwarded_for=192.168.1.101, proxy_add_x_forwarded_for=192.168.1.101, 192.168.1.105
105上的Nginx log是:
remote_addr=192.168.1.101:23417, http_x_forwarded_for=-, proxy_add_x_forwarded_for=192.168.1.101
结果描述:
- REMOTE_ADDR变成了反向代理105的IP地址
- HTTP_X_FORWARDED_FOR记录了真实客户端IP和反向代理IP,以逗号分隔。
- 新出现的HTTP_X_REAL_IP也是真实客户端IP地址,是由105的realip.com.conf配置写入的
场景三(再增加一台Nginx正向代理):
Nginx是可以做正向代理的,但是必须指定resolver(既DNS)。但是我没有搭建内网DNS,所以就把104又搭建成了一台反向代理来模拟正向代理。我认为正向、反向代理原理都是差不多的,取得的结果也应该差不多的(如果谁能用真正的正向代理测试出了不同结果,请告知一下)。
同时修改fastcgi_params文件确保有以下一行:
fastcgi_param REMOTE_ADDR $remote_addr;
在客户机101上修改host:
192.168.1.104 realip.com
我们在客户机上打开浏览器访问http://realip.com,看到的结果是:
REMOTE_ADDR=192.168.1.105
HTTP_X_FORWARDED_FOR=192.168.1.101, 192.168.1.104, 192.168.1.105
HTTP_X_REAL_IP=192.168.1.104
106上的Nginx log是:
remote_addr=192.168.1.105:34780, http_x_forwarded_for=192.168.1.101, 192.168.1.104, proxy_add_x_forwarded_for=192.168.1.101, 192.168.1.104, 192.168.1.105
105上的Nginx log是:
remote_addr=192.168.1.104:60142, http_x_forwarded_for=192.168.1.101, proxy_add_x_forwarded_for=192.168.1.101, 192.168.1.104
104上的Nginx log是:
remote_addr=192.168.1.101:23470, http_x_forwarded_for=-, proxy_add_x_forwarded_for=192.168.1.101
结果描述:
- REMOTE_ADDR还是反向代理105的IP地址
- HTTP_X_FORWARDED_FOR记录了真实客户端IP和两台反向代理IP,以逗号分隔。
- HTTP_X_REAL_IP变成了104
结论:
在默认配置情况下,如果要取得客户端真实IP地址的话,只有取HTTP_X_FORWARDED_FOR的第一个逗号前的IP地址最靠谱,其他的地址都有可能被重写。当然,如果连HTTP_X_FORWARDED_FOR都被重写的话就另当别论了