0°

Nginx获取Nginx代理后的真实IP地址并将真实IP地址转发给Tomcat

在我们线上不乏有一些企业中,在公司多套平台中的流量总入口为Nginx或者LVS,然后将总入口拿到的流量再转发给各个平台的负载均衡器,然后负载均衡器再将请求转发给真实的Web应用服务器,这种情况下,客户端请求从总入口到真实服务器共转发了两次,这时候我们需要将真实服务器以及前端的两个代理获取到真实的客户端IP地址。

流量总入口Nginx配置如下

日志格式配置:

 log_format  main  '$remote_addr" "$remote_user" "$time_iso8601" "$request"'
                   ' "$status" "$body_bytes_sent" "$connection" "$connection_requests" "$http_referer"'
                   ' "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio" "$request_time"'
                   ' "$upstream_addr" "$upstream_response_time" "$upstream_status" "$http_host"';
 access_log  logs/access.log  main;

客户端真实IP地址转发配置

        location / {
            proxy_pass http://192.168.31.242;                   #转发到门户系统的Nginx代理
            proxy_http_version 1.1;                             #使用HTTP1.1协议
            proxy_set_header Host $host;                        #转发当前本地主机名称
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
            #通过X-Forwardel-For方式将客户端的真实IP地址转发至192.168.31.242,如果通过 $remote_addr 的方式,那么门户的Nginx将获取的地址是总流量入口的地址,并非客户端真实地址
        }

门户入口Nginx配置如下

日志格式设置:

    log_format  main  '$http_x_forwarded_for" "$remote_addr"  "$remote_user" "$time_iso8601" "$request"'
                      ' "$status" "$body_bytes_sent" "$connection" "$connection_requests" "$http_referer"'
                      ' "$http_user_agent" "$gzip_ratio" "$request_time"'
                      ' "$upstream_addr" "$upstream_response_time" "$upstream_status" "$http_host"';
    access_log  logs/access.log  main;

$http_x_forwarded_for:用来获取经过代理后的客户端真实IP地址
$remote_addr:获取客户端IP地址(这里会获取到流量总入口的Nginx IP地址)

客户端真实IP地址转发配置
门户入口Nginx拿到客户端真实IP地址后,将真实IP地址转发至后端的应用服务器

        location / {
            proxy_pass http://192.168.31.244:8080;      #转发到应用服务器
            proxy_http_version 1.1;                     #使用HTTP1.1协议
            proxy_set_header Host $host;                #转发当前本地主机名称
            proxy_set_header Port $proxy_port;          #转发被代理的端口到后端服务器
            proxy_set_header X-Real-IP $remote_addr;    #转发远程客户端地址到后端服务器
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    
            ##通过X-Forwardel-For方式将客户端的真实IP地址转发至192.168.31.244
        }

门户应用服务器Tomcat配置如下

修改Tomcat日志格式

vim conf/server.xml
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
              pattern="%t %{X-Forwarded-For}i %{X-Real-IP}i %h:%p %A:%{Port}i %m %s %S %u %H %v %U %b %T %I" />

%{X-Forwarded-For}i
获取门户Nginx转发过来的真实客户端IP地址

%{X-Real-IP}i
获取客户端地址(上个Nginx在 proxy_set_header 中定义的地址)

日志查看

1.总流量入口Nginx日志
重要内容为:

  1. 192.168.31.72:客户端原始IP地址 (日志变量$remote_addr获取)
  2. 192.168.31.242:80:转发地址 (日志变量$upstream_addr获取)
192.168.31.72" "-" "2020-04-12T17:13:24+08:00" "GET / HTTP/1.1" "200" "2065" "948" "1" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" "-" "5.45" "0.390" "192.168.31.242:80" "0.389" "200" "devops.cn"
192.168.31.72" "-" "2020-04-12T17:13:25+08:00" "GET / HTTP/1.1" "200" "2065" "948" "2" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" "-" "5.45" "0.012" "192.168.31.242:80" "0.013" "200" "devops.cn"
192.168.31.72" "-" "2020-04-12T17:13:26+08:00" "GET / HTTP/1.1" "200" "2065" "948" "3" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" "-" "5.45" "0.007" "192.168.31.242:80" "0.007" "200" "devops.cn"

2.门户流量入口Nginx日志
重要日志内容:

  1. 192.168.31.72:客户端真实IP地址 (日志变量$http_x_forwarded_for获取,由流量入口Nginx使用X-Forwarded-For转发)
  2. 192.168.31.243:客户端原始IP地址(日志变量$remote_addr获取)
  3. 192.168.31.244:8080:转发地址 (日志变量$upstream_addr获取)
192.168.31.72" "192.168.31.243"  "-" "2020-04-12T17:13:24+08:00" "GET / HTTP/1.1" "200" "11215" "183" "1" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" "-" "0.388" "192.168.31.244:8080" "0.388" "200" "devops.cn"
192.168.31.72" "192.168.31.243"  "-" "2020-04-12T17:13:25+08:00" "GET / HTTP/1.1" "200" "11215" "185" "1" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" "-" "0.009" "192.168.31.244:8080" "0.009" "200" "devops.cn"
192.168.31.72" "192.168.31.243"  "-" "2020-04-12T17:13:26+08:00" "GET / HTTP/1.1" "200" "11215" "187" "1" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15" "-" "0.006" "192.168.31.244:8080" "0.006" "200" "devops.cn"

3.门户应用Tomcat日志内容

  1. 192.168.31.72, 192.168.31.243:客户端真实IP地址,因为Nginx经过了两次转发,到Tomcat时则认为在上次转发之前的IP都为真实地址 (由{X-Forwarded-For}i字段获取)
  2. 192.168.31.243 客户端原始地址 (由%{X-Real-IP}i获取,此地址是由上个Nginx转发来的)
  3. 192.168.31.242:80 客户端地址加端口 (由Tomcat日志格式 %h:%p 获取,所以认定为上个Nginx地址为客户端)
  4. 192.168.31.244:8080 本地IP地址加端口 (由Tomcat日志格式 %A 来获取本地IP,%{Port}i 由Nginx转发而来)
[12/Apr/2020:17:13:24 +0800] 192.168.31.72, 192.168.31.243 192.168.31.243 192.168.31.242:80 192.168.31.244:8080 GET 200 - - HTTP/1.1 devops.cn / 11215 0.213 http-nio-8080-exec-1
[12/Apr/2020:17:13:25 +0800] 192.168.31.72, 192.168.31.243 192.168.31.243 192.168.31.242:80 192.168.31.244:8080 GET 200 - - HTTP/1.1 devops.cn / 11215 0.007 http-nio-8080-exec-2
[12/Apr/2020:17:13:26 +0800] 192.168.31.72, 192.168.31.243 192.168.31.243 192.168.31.242:80 192.168.31.244:8080 GET 200 - - HTTP/1.1 devops.cn / 11215 0.004 http-nio-8080-exec-3







「点点赞赏,手留余香」

    还没有人赞赏,快来当第一个赞赏的人吧!
0 条回复 A 作者 M 管理员
    所有的伟大,都源于一个勇敢的开始!
欢迎您,新朋友,感谢参与互动!欢迎您 {{author}},您在本站有{{commentsCount}}条评论