Detailed explanation of the process of nginx obtaining the real source IP after passing through multiple layers of proxy

question

Nginx takes $remote_addr as the real IP address, but in fact, $http_X_Forwarded_For is the user's real IP address, and $remote_addr is just the address of the upper layer of the proxy.

Solution:

Add in http module

set_real_ip_from 172.17.10.125; #The upper proxy IP address real_ip_header X-Forwarded-For;
real_ip_recursive on;

After adding, start nginx and report an error:

nginx: [emerg] unknown directive "set_real_ip_from" in /home/lnidmp/nginx/conf/nginx.conf:26

Need to add realip module and recompile nginx

1. cd /usr/local/nginx-1.15.12

2. ./configure --prefix=/usr/cmcc/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module

3. make && make install

Kind tips:

1. set_real_ip_from means to accept the real user IP from which trusted proxy

2. real_ip_header refers to the http header of the received message to obtain the user ip sent by the previous proxy

3. real_ip_recursive: whether to exclude recursively until the user IP is obtained (default is off)

First, real_ip_header specifies an http header name, the default is X-Real-Ip. Assuming the default value is used, nginx will check the http header X-Real-Ip after receiving the message.

(1) If there is an IP, it will check whether the sender's IP is in the trusted IP list specified by set_real_ip_from. If it is trusted, it will think that the IP value in X-Real-Ip is the real IP value of the user told by the front proxy, so it will assign the value to its own $remote_addr variable; if it is not trusted, it will not be processed, and $remote_addr will still be the sender's IP address.

(2) If X-Real-Ip has multiple IP values, for example, the previous proxy is set like this: proxy_set_header X-Real-Ip $proxy_add_x_forwarded_for;

What you get is a string of IPs, so the value of real_ip_recursive is crucial. Nginx will compare the IPs in the trust list of set_real_ip_from from right to left in the IP list.

If real_ip_recursive is off, then when the rightmost IP is found to be a trusted IP, the next IP (the second one on the right) is considered to be the user's real IP;

If real_ip_recursive is on, the IP addresses will be compared from right to left until an untrusted IP address is found.

Then copy the IP value to $remote_addr as well.

The production nginx configuration file is as follows:

user www;
worker_processes 10;
worker_rlimit_nofile 51200;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
error_log /data/logs/nginx_error.log crit;

#pid logs/nginx.pid;


events {
 use epoll;
 worker_connections 51200;
}

http {
 include mime.types;
 default_type application/octet-stream;

 #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 # '$status $body_bytes_sent "$http_referer" '
 # '"$http_user_agent" "$http_x_forwarded_for"';

 #access_log logs/access.log main;

 server_names_hash_bucket_size 128;
 server_tokens off;
 expires 1h;
 sendfile off; 
 tcp_nopush on;
 fastcgi_connect_timeout 1200s;
 fastcgi_send_timeout 1200s;
 fastcgi_read_timeout 1200s;
 fastcgi_buffer_size 128k;
 fastcgi_buffers 8 128k;#8 128
 fastcgi_busy_buffers_size 256k;
 fastcgi_temp_file_write_size 256k;
 keepalive_timeout 65;
 tcp_nodelay on;
 error_page 404 /; 
 gzip on;
 gzip_min_length 2048;
 gzip_buffers 4 16k;
 gzip_http_version 1.1;
 gzip_types text/plain css html application/xml application/x-javascript ;

 set_real_ip_from the upper proxy IP address;
 real_ip_recursive on;
 real_ip_header X-Forwarded-For;

 log_format access '$remote_addr - $remote_user [$time_local] "$request" '
       '$status $body_bytes_sent "$http_referer" '
       '"$http_user_agent" $http_x_forwarded_for';
##################### include ##############################################

include conf.d/*.conf;
}

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.