Detailed explanation of the process of nginx obtaining the real source IP after passing through multiple layers of proxy

Detailed explanation of the process of nginx obtaining the real source IP after passing through multiple layers of proxy

question

Nginx takes $remote_addr as the real IP address, but in fact, $http_X_Forwarded_For is the user's real IP address, and $remote_addr is just the address of the upper layer of the proxy.

Solution:

Add in http module

set_real_ip_from 172.17.10.125; #The upper proxy IP address real_ip_header X-Forwarded-For;
real_ip_recursive on;

After adding, start nginx and report an error:

nginx: [emerg] unknown directive "set_real_ip_from" in /home/lnidmp/nginx/conf/nginx.conf:26

Need to add realip module and recompile nginx

1. cd /usr/local/nginx-1.15.12

2. ./configure --prefix=/usr/cmcc/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module

3. make && make install

Kind tips:

1. set_real_ip_from means to accept the real user IP from which trusted proxy

2. real_ip_header refers to the http header of the received message to obtain the user ip sent by the previous proxy

3. real_ip_recursive: whether to exclude recursively until the user IP is obtained (default is off)

First, real_ip_header specifies an http header name, the default is X-Real-Ip. Assuming the default value is used, nginx will check the http header X-Real-Ip after receiving the message.

(1) If there is an IP, it will check whether the sender's IP is in the trusted IP list specified by set_real_ip_from. If it is trusted, it will think that the IP value in X-Real-Ip is the real IP value of the user told by the front proxy, so it will assign the value to its own $remote_addr variable; if it is not trusted, it will not be processed, and $remote_addr will still be the sender's IP address.

(2) If X-Real-Ip has multiple IP values, for example, the previous proxy is set like this: proxy_set_header X-Real-Ip $proxy_add_x_forwarded_for;

What you get is a string of IPs, so the value of real_ip_recursive is crucial. Nginx will compare the IPs in the trust list of set_real_ip_from from right to left in the IP list.

If real_ip_recursive is off, then when the rightmost IP is found to be a trusted IP, the next IP (the second one on the right) is considered to be the user's real IP;

If real_ip_recursive is on, the IP addresses will be compared from right to left until an untrusted IP address is found.

Then copy the IP value to $remote_addr as well.

The production nginx configuration file is as follows:

user www;
worker_processes 10;
worker_rlimit_nofile 51200;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
error_log /data/logs/nginx_error.log crit;

#pid logs/nginx.pid;


events {
 use epoll;
 worker_connections 51200;
}

http {
 include mime.types;
 default_type application/octet-stream;

 #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 # '$status $body_bytes_sent "$http_referer" '
 # '"$http_user_agent" "$http_x_forwarded_for"';

 #access_log logs/access.log main;

 server_names_hash_bucket_size 128;
 server_tokens off;
 expires 1h;
 sendfile off; 
 tcp_nopush on;
 fastcgi_connect_timeout 1200s;
 fastcgi_send_timeout 1200s;
 fastcgi_read_timeout 1200s;
 fastcgi_buffer_size 128k;
 fastcgi_buffers 8 128k;#8 128
 fastcgi_busy_buffers_size 256k;
 fastcgi_temp_file_write_size 256k;
 keepalive_timeout 65;
 tcp_nodelay on;
 error_page 404 /; 
 gzip on;
 gzip_min_length 2048;
 gzip_buffers 4 16k;
 gzip_http_version 1.1;
 gzip_types text/plain css html application/xml application/x-javascript ;

 set_real_ip_from the upper proxy IP address;
 real_ip_recursive on;
 real_ip_header X-Forwarded-For;

 log_format access '$remote_addr - $remote_user [$time_local] "$request" '
       '$status $body_bytes_sent "$http_referer" '
       '"$http_user_agent" $http_x_forwarded_for';
##################### include ##############################################

include conf.d/*.conf;
}

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.

You may also be interested in:
  • How to implement cross-domain API proxy forwarding through Nginx proxy forwarding configuration
  • Detailed explanation of how to add Nginx proxy using Go
  • How to add Nginx proxy configuration to allow only internal IP access
  • Implementation of removing prefix from Nginx proxy pass configuration
  • 18 Nginx proxy cache configuration tips that operators must know (which ones do you know?)
  • Detailed explanation of two ways to implement session persistence in Nginx reverse proxy
  • Implementation of multi-port mapping of nginx reverse proxy
  • Diagram of the process of implementing direction proxy through nginx

<<:  MySQL 8.0.13 download and installation tutorial with pictures and text

>>:  How to use vue.js to implement drag and drop function

Recommend

Vue realizes the logistics timeline effect

This article example shares the specific code of ...

Analysis of basic usage of ul and li

Navigation, small amount of data table, centered &...

Examples of two ways to implement a horizontal scroll bar

Preface: During the project development, we encou...

How to use the EXPLAIN command in SQL

In daily work, we sometimes run slow queries to r...

The difference between MySQL database host 127.0.0.1 and localhost

Many of my friends may encounter a problem and do...

How to implement MySQL bidirectional backup

MySQL bidirectional backup is also called master-...

Detailed process of building mysql5.7.29 on centos7 of linux

1. Download MySQL 1.1 Download address https://do...

How to upgrade MySQL 5.6 to 5.7 under Windows

Written in front There are two ways to upgrade My...

Solution to find all child rows for a given parent row in MySQL

Preface Note: The test database version is MySQL ...

In-depth understanding of the use of the infer keyword in typescript

Table of contents infer Case: Deepen your underst...

10 Website Usability Tips Everyone Should Know

Let’s not waste any more time and get straight to...

Understanding MySQL precompilation in one article

1. Benefits of precompilation We have all used th...