• nginx多层反向代理获取客户端真实ip

    访问路径:
用户 --> www.chinasoft.cn(nginx反向代理) --> www.chinasoft.com(nginx反向代理) --> python服务端程序

经过多层代理

第一层代理:
# cat /usr/local/nginx/conf/vhost.d/www.chinasoft.cn.conf 
server {
    listen 80;
    server_name     www.chinasoft.cn chinasoft.cn;
    access_log      /data/www/logs/nginx_log/access/chinasoft.cn_access.log main ;
    error_log       /data/www/logs/nginx_log/error/chinasoft.cn_error.log ;
    #root            /data/www/vhosts/chinasoft.cn/httpdocs ;
    index           index.html index.shtml index.php ;
    #include        rewrite.d/chinasoft.cn.conf ;
    error_page  404 403             /404.html;    


    rewrite ^/(.*)$ https://www.chinasoft.cn/$1 permanent;    #跳转到Https

    location /favicon.ico{
        proxy_pass https://www.chinasoft.com;
    }

    location ~ ^/(middle|app|files|static|back)/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-Ip $remote_addr;
        proxy_cookie_domain www.chinasoft.com www.chinasoft.cn;
        proxy_pass https://www.chinasoft.com;
    }

    location /cn {
        rewrite ^/cn/(.*) /$1 permanent;
    }

    #注释原来的location
    #location / {
    #               proxy_cookie_domain www.chinasoft.com www.chinasoft.cn;
    #    proxy_pass https://www.chinasoft.com/cn/;
    #}

    #开启新的配置
    location / {
    if (-d $request_filename){
        rewrite (.*) $1 break;
    }
    if (-f $request_filename.html){
        rewrite (.*) $1.html break;
    }
    try_files $uri /index.html @404;
    }

}

server {
    listen 443;
    server_name      www.chinasoft.cn chinasoft.cn;

    ssl                     on; 
    ssl_certificate         /usr/local/nginx/cert/geo-chinasoft.cn.crt;
    ssl_certificate_key     /usr/local/nginx/cert/geo-chinasoft.cn.key;

    ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers     "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AE
    S256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3
    -SHA:!KRB5-DES-CBC3-SHA";
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 10m;


    access_log      /data/www/logs/nginx_log/access/chinasoft.cn_access.log main ;
    error_log       /data/www/logs/nginx_log/error/chinasoft.cn_error.log ;
    root            /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle/templates/cn;
    index           index.html index.shtml index.php ;
    #include         rewrite.d/chinasoft.cn.conf ;
    error_page  404 403             /404.html;

    location /favicon.ico{
        proxy_set_header Host $host;
        proxy_set_header X-Real-Ip $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr; 
        proxy_pass https://www.chinasoft.com;
    }

    location ~ ^/(middle|app|files|back)/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-Ip $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr; 
        proxy_cookie_domain www.chinasoft.com www.chinasoft.cn;
        proxy_pass https://www.chinasoft.com;
    }

    location /cn {
        rewrite ^/cn/(.*) /$1 permanent;
    }

    location /static {
        root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle;
    }

    #注释原来的location
    #location / {
    #        proxy_cookie_domain www.chinasoft.com www.chinasoft.cn;
    #    proxy_pass https://www.chinasoft.com/cn/;
    #}

    #开启新的配置
    location / {
        if (-d $request_filename){
            rewrite (.*) $1 break;
        }
        if (-f $request_filename.html){
            rewrite (.*) $1.html break;
        }
        try_files $uri /index.html @404;
    }

}

第二层代理:
[server02:~]# more /usr/local/nginx/conf/vhost.d/www.chinasoft.com.conf 
server {
        listen 80;
        server_name     chinasoft.com www.chinasoft.com ;
        access_log      /data/www/logs/nginx_log/access/www.chinasoft.com_access.log main ;
        error_log       /data/www/logs/nginx_log/error/www.chinasoft.com_error.log;
        root            /data/www/vhosts/chinasoft/chinasoft_web/web;
        index           index.html index.php ;
    include    rewrite.d/chinasoft.com.conf ;
    error_page  404 403             /404.html;    
        
        location ^~ /middle/file/test-oss-callback {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header REMOTE-HOST $remote_addr;
            proxy_set_header HTTP_AUTHORIZATION $http_authorization;
            proxy_pass_header Server;
            proxy_redirect off;
            proxy_pass http://1.1.1.1:7980/middle/file/oss-callback;
        }

    rewrite ^/(.*)$ https://www.chinasoft.com/$1 permanent;    #跳转到Https


}

server {
        listen 443;
        server_name     www.chinasoft.com chinasoft.com;

        ssl                     on; 
        ssl_certificate         /usr/local/nginx/conf/cert2016/chinasoft_com.crt; 
        ssl_certificate_key     /usr/local/nginx/conf/cert2016/chinasoft_com.key; 
    ssl_dhparam             /usr/local/nginx/conf/cert2016/dh_2048.pem;

    ssl_session_timeout     5m;
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers     "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AE
S256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3
-SHA:!KRB5-DES-CBC3-SHA";
        ssl_prefer_server_ciphers       on;

        gzip on;
        gzip_min_length 1k;
        gzip_buffers 4 16k;
        gzip_comp_level 5;
        gzip_types text/plain application/x-javascript text/css application/xml text/javascript;


        access_log      /data/www/logs/nginx_log/access/www.chinasoft.com_access.log main ;
        error_log       /data/www/logs/nginx_log/error/www.chinasoft.com_error.log ;
        root            /data/www/vhosts/chinasoft/chinasoft_web/web;
        index           index.html index.php ;
        
        include         rewrite.d/chinasoft.com.conf ;
    error_page 404  @error404;
        location /cn { include  rewrite.d/chinasoft.cn.conf ; }


        location @error404 {
           rewrite ^/(fr|de|it|es|pt|nl|hi|jp|ru|kr|id|ar|cn) /$1/404.html last;
           rewrite ^ /404.html last;
        }
        location ~ /(fr|de|it|es|pt|nl|hi|jp|ru|kr|id|ar|vn|tr|th|ro|zh-tw|cn)$ {
            rewrite ^/(.*)$ /$1/ permanent;
        }

        location ^~ /middle/file/test-oss-callback {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header REMOTE-HOST $remote_addr;
            proxy_set_header HTTP_AUTHORIZATION $http_authorization;
            proxy_pass_header Server;
            proxy_redirect off;
            proxy_pass http://127.0.0.1:7980/middle/file/test-oss-callback;
        }
       
        location ~ ^/(middle|app)/ {
        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            #proxy_set_header REMOTE-HOST $remote_addr;
            #proxy_set_header HTTP_AUTHORIZATION $http_authorization;
            #proxy_pass_header Server;
        proxy_set_header Host $host;
            proxy_set_header X-Real-Ip $remote_addr;
         proxy_set_header X-Forwarded-For $remote_addr;
            expires 1d;
            include proxy_params;
            if (!-d $request_filename){
                    set $flag 1$flag;
            }
            if (!-f $request_filename){
                    set $flag 2$flag;
            }
            if ($flag = "21"){
                    rewrite ^(.*)$ /index.php last;
            }
        }

        location ~ .php$ {    
            #fastcgi_pass 127.0.0.1:9000;
            fastcgi_pass   unix:/tmp/php-cgi.sock;
            fastcgi_index  index.php;
            fastcgi_read_timeout 600;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
            expires -1;
    }
        location /static {
            root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle;
        }
        location / {
        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            #proxy_set_header REMOTE-HOST $remote_addr;
            #proxy_set_header HTTP_AUTHORIZATION $http_authorization;
            #proxy_pass_header Server;

       proxy_set_header Host $host;
            proxy_set_header X-Real-Ip $remote_addr;
         proxy_set_header X-Forwarded-For $remote_addr;

            expires -10d;
            add_header Cache-Control no-cache;
            root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle/templates;
            index index.html;
            if (-d $request_filename){
               rewrite (.*) $1 break;
            }
            if (!-f $request_filename){
               rewrite (.*) $1.html break;
            }
            try_files $uri /index.html @error404;
        }

}

nginx多层代理获取客户端的真实ip总结:

1、编译Nginx时,添加http_realip_module模块

2、在nginx.conf文件中

proxy_pass  xxxxxx添加下面三行
proxy_set_header   Host             $host;
proxy_set_header   X-Real-IP        $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

3、在每一层nginx日志中的打印的"$http_x_forwarded_for"就是真实客户端的ip地址。
4、后台服务器获取真实的客户端ip地址:

headers中的X-Forwarded-For选项中逗号前第一个ip就是真实客户端ip

日志中获取真实ip:  $http_x_forwarded_for 就是获取真实ip的变量

log_format main  '$remote_addr $http_x_forwarded_for - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time ';

    # more /usr/local/nginx/conf/rewrite.d/chinsoft.com.conf
    if ($request_uri ~ ^/(.*)/(index|indice).(html)) { rewrite ^/(.*)/(index|indice).(html) /$1 permanent;}
  • 相关阅读:
    lintcode-135-数字组合
    如何下载网页上的视频?
    tree
    lintcode-512-解码方法
    前端 启动项目内存溢出
    导入txt和导出txt文件
    webStorm 2018.3.2永久破解方法
    前端导出功能
    定时器刷新机制 setInterval react
    getFieldsValue,getFieldValue,validateFields,resetFields,getFieldDecorator的用法;
  • 原文地址:https://www.cnblogs.com/reblue520/p/11065629.html
Copyright © 2020-2023  润新知