Nginx获取自定义头部header的值

1、nginx是支持读取非nginx标准的用户自定义header的，但是需要在http或者server下开启header的下划线支持:

• underscores_in_headers on;

2、比如我们自定义header为X-Real-IP,通过第二个nginx获取该header时需要这样:

• $http_x_real_ip; (一律采用小写，而且前面多了个http_)

3、如果需要把自定义header传递到下一个nginx：

• 如果是在nginx中自定义采用proxy_set_header X_CUSTOM_HEADER $http_host;
• 如果是在用户请求时自定义的header，例如curl –head -H “X_CUSTOM_HEADER: foo” http://domain.com/api/test，则需要通过proxy_pass_header X_CUSTOM_HEADER来传递

注意nginx 1.11.x后的版本才支持 request_id 内置变量

示例：

http{

    underscores_in_headers on;

    upstream myServer {   
        server 127.0.0.1:8082;
    }

server { listen 80; server_name localhost; location / { proxy_set_header Some-Thing $http_x_custom_header;; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://myServer; } } 

示例：

    网络架构：

        源站 <-->  1层nginx代理 <-->  2层nginx代理 <--> CDN <-->客户端

2层代理  nginx.conf

    underscores_in_headers on;

    log_format  main  '$http_x_forwarded_for`$remote_addr`$proxy_add_x_forwarded_for`[$time_local]`"$request"`'
                      '$status`$body_bytes_sent`"$http_referer"`'
                      '"$http_user_agent"`"$request_time"`'
                      '$request_id`$upstream_response_time`$upstream_addr`$upstream_connect_time`$upstream_status';

2层代理站点配置：

location中设置 proxy_set_header

upstream pc_proxy_group_ssl {
        ip_hash;
        zone pc_proxy_group_ssl_up 1m;
        server x.x.x.x:443 weight=10;
        server x.x.x.x2:443 weight=10;
        check interval=3000 rise=2 fall=5 timeout=2000 type=ssl_hello;
}

server {
        listen      443 ssl;
        server_name www.xx.com;
        access_log  logs/www.xx.com.access.log  main;
        ssl                  on;
        ssl_certificate      SSL_Certificate/xx.com/_.xx.com.cer;
        ssl_certificate_key  SSL_Certificate/xx.com/_.xx.com.key;
        ssl_session_timeout  5m;
        ssl_protocols                   TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:WEAK112TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:FS256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
        ssl_prefer_server_ciphers   on;

        location / {
                proxy_pass https://pc_proxy_group_ssl;
                proxy_redirect default;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header   X-Request-ID     $request_id;
                
        }
}

注意：

    如果想把 proxy_set_header 设置在 http 块全部生效，那么，server块、location块中不能再出现 proxy_set_header，如果能则不继续

1层代理nginx.conf配置：

user nginx nginx;
worker_processes auto;
worker_cpu_affinity auto;

error_log  logs/error.log;
pid        logs/nginx.pid;
worker_rlimit_nofile 65535;

events {
    use epoll;
    worker_connections 65535;
}


http {
    ## HttpGuard
    lua_package_path "/etc/nginx/httpGuard/?.lua";
    lua_shared_dict dict_system 10m;
    lua_shared_dict dict_black 50m;
    lua_shared_dict dict_white 50m;
    lua_shared_dict dict_challenge 100m;
    lua_shared_dict dict_byDenyIp 30m;
    lua_shared_dict dict_byWhiteIp 30m;
    lua_shared_dict dict_captcha 70m;
    lua_shared_dict dict_others 30m;
    lua_shared_dict dict_perUrlRateLimit 30m;
    lua_shared_dict dict_needVerify 30m;
    init_by_lua_file "/etc/nginx/httpGuard/init.lua";
    access_by_lua_file "/etc/nginx/httpGuard/runtime.lua";
    lua_max_running_timers 1;


    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$http_x_forwarded_for`$remote_addr`$proxy_add_x_forwarded_for`[$time_local]`"$request"`'
                      '$status`$body_bytes_sent`"$http_referer"`'
                      '"$http_user_agent"`"$request_time"`'
                      '$http_x_request_id`$upstream_response_time`$upstream_addr`$upstream_connect_time`$upstream_status';

    log_format  access  '$remote_addr`[$time_local]`"$request"`'
                      '$status`$body_bytes_sent`"$http_referer"`'
                      '"$http_user_agent"`"$http_x_forwarded_for"`'
                      '$http_x_request_id`$upstream_response_time`$upstream_addr`$upstream_connect_time`$upstream_status';

#    proxy_ignore_client_abort on;
    proxy_headers_hash_max_size 2048;
    proxy_headers_hash_bucket_size 256;
    sendfile    on;
    tcp_nopush  on;
    tcp_nodelay on;
    keepalive_timeout 60;
    server_tokens off;
    proxy_hide_header X-Powered-By;
    proxy_hide_header X-AspNet-Version;

    gzip    on;
    gzip_min_length 1k;
    gzip_buffers    4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types  text/plain  application/x-javascript text/css application/xml;
    gzip_vary on;

    client_max_body_size 100m;
    client_body_buffer_size 128k;
    client_body_temp_path /dev/shm/client_body_temp;
    proxy_connect_timeout 600;
    proxy_read_timeout 600;
    proxy_send_timeout 600;
    proxy_buffer_size 16k;
    proxy_buffers 32 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    proxy_temp_path /dev/shm/proxy_temp;


    map $http_x_forwarded_for $clientRealIp {
        "" $remote_addr;
        ~^(?P<firstAddr>[0-9.]+),?.*$ $firstAddr;
    }

    include /etc/nginx/conf.d/*.conf;

}

1层代理站点配置：

upstream pc_proxy_group {
        ip_hash;
        zone pc_proxy_group_ssl_up 1m;
        server x.x.x.x:8080 weight=10;
        server x.x.x.x2:8080 weight=10;

        check interval=3000 rise=2 fall=5 timeout=2000 type=http;
        check_http_send "GET /do_not_delete/check.html HTTP/1.0 ";

}



server {
        listen      443 ssl;
        server_name www.xx.com;
        access_log  logs/www.xx.com.access.log  main;
        ssl                  on;
        ssl_certificate      SSL_Certificate/xx.com/_.xx.com.cer;
        ssl_certificate_key  SSL_Certificate/xx.com/_.xx.com.key;
        ssl_session_timeout  5m;
        ssl_protocols        TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:WEAK112TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:FS256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
        ssl_prefer_server_ciphers   on;

        location / {
                proxy_pass http://pc_proxy_group;
                proxy_redirect default;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                
        }
}

若源站为IIS，可使用IIS 高级日志记录获取httpd头 X-Request-ID，其他web容器通过其他方法获取请求ID