透传真实ip

1.基于代理（七层负载均衡）情况下   透传客户端真实IP
     http  https    url    安全
     
环境：
    10.0.0.5  proxy_node1
    10.0.0.6  proxy_node2
    10.0.0.7  proxy_node3
    10.0.0.8  webserver

域名:
    ip.oldboy.com     解析到10.0.0.5
proxy_node1   配置如下
    [root@lb01 conf.d]# cat ip.oldboy.com.conf 
server {
    listen 80;
    server_name ip.oldboy.com;

    location / {
        proxy_pass http://10.0.0.6;
        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

proxy_node2   配置如下

    [root@lb01 conf.d]# cat ip.oldboy.com.conf 
server {
    listen 80;
    server_name ip.oldboy.com;

    location / {
        proxy_pass http://10.0.0.7;
        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

proxy_node3   配置如下
    [root@lb01 conf.d]# cat ip.oldboy.com.conf 
server {
    listen 80;
    server_name ip.oldboy.com;

    location / {
        proxy_pass http://10.0.0.8;
        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

werserver 配置如下

[root@web02 conf.d]# cat ip.oldboy.com.conf 
server {
    listen 80;
    server_name ip.oldboy.com;
    root /code;
    
    location / {
        index index.php index.html;
}
    location ~ \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
}
}

准备PHP代码，提取真实IP
[root@web02 code]# cat ./index.php 
[root@web02 code]# cat index.php 
<?php 
    $ip = getenv("HTTP_X_FORWARDED_FOR");
    echo "这个是X_FORWARDED_FOR: $ip";
?>

index.html 
ip.oldboy.com
劫持：
10.0.0.5  ip.oldboy.com

image.png

测试方法一 搜索x_for

image.png

测试方法二 抓包

image.png

proxy_node1 代理的日志

10.0.0.1 - - [03/Oct/2019:14:45:15 +0800]

proxy_node2 代理的日志

10.0.0.5 - - [03/Oct/2019:14:45:14 +0800]  GET / HTTP/1.1" 200  "10.0.0.1"

proxy_node3 代理的日志

10.0.0.6 - - [03/Oct/2019:14:45:15 +0800]  GET / HTTP/1.1" 200  "10.0.0.1, 10.0.0.5"

webserver代理的日志

10.0.0.7 - - [03/Oct/2019:14:45:15 +0800] "GET / HTTP/1.1" 200 95442 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" "10.0.0.1, 10.0.0.5, 10.0.0.6"

使用nginx Realip_module获取多级代理下的客户端真实ip地址，需要在web

上配置

set_real_ip_from 10.0.0.5;

set_real_ip_from 10.0.0.6;

set_real_ip_from 10.0.0.7;

real_ip_header X_Forwarded-For;

real_ip_recursive on;

[root@web02 conf.d]# cat ip.oldboy.com.conf 
server {
    listen 80;
    server_name ip.oldboy.com;
    root /code;


    set_real_ip_from   10.0.0.5;
    set_real_ip_from   10.0.0.6;
    set_real_ip_from   10.0.0.7;
    real_ip_header   X-Forwarded-For;
    #real_ip_recursive on;
    
    location / {
        index index.php index.html;
}
    location ~ \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
}
}

image.png

最后webserver的结果
10.0.0.1 - - [03/Oct/2019:15:23:20 +0800] "GET /index.php HTTP/1.1" 200 65 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" "10.0.0.1, 10.0.0.5, 10.0.0.6"