内容简介:When our web server is behind a reverse proxy, we see the reverse proxy IP logged into log files. But we need the user’s real ip address. Let us see how to get real user’s IP address in nginx behind a reverse proxy server and restore actual IP address usin
M y Nginx web server is behind a reverse proxy server. How do I restore the original and real IP address of my client/visitors when behind a reverse proxy server such as AWS Cloudfront, Fastly, Cloudflare CDN/WAF?
When our web server is behind a reverse proxy, we see the reverse proxy IP logged into log files. But we need the user’s real ip address. Let us see how to get real user’s IP address in nginx behind a reverse proxy server and restore actual IP address using the ngx_http_realip_module
Nginx restore real IP address with the ngx_http_realip_module
First let us see if Nginx compiled and loaded with ngx_http_realip_module using the following command:
nginx -V 2>&1 | egrep --color -o 'http_realip_module' nginx -V 2>&1 | egrep --color -o 'realip_module'
Sample outputs indicating that my Nginx compiled with required module:
--with-http_realip_module
Step 1 – Restoring visitor IPs by setting header name in Nginx
Edit your nginx configuration file such as nginx.conf or virtual domain config. For example:
sudo vi /etc/nginx/vhosts.d/cyberciti.biz.conf
Set the following in http, server, or location context as follows:
real_ip_header X-Forwarded-For;
Cloudflare users try the following:
real_ip_header CF-Connecting-IP;
Some reverse proxy passes on header named X-Real-IP to backends, so we can use it as follows:
real_ip_header X-Real-IP;
Step 2 – Get user real ip in nginx behind reverse proxy
We need to defines trusted IP addresses that are known to send correct replacement addresses. Typically we add upstream servers IP address. The syntax is:
set_real_ip_from ipv4_addresss; set_real_ip_from ipv6_address; set_real_ip_from sub/net; set_real_ip_from CIDR;
In this instance my trusted upstream proxy is 192.168.1.254
set_real_ip_from 192.168.1.254;
Here are a few more examples:
set_real_ip_from 2606:4700:10::6816:ad6;
Trust Linode nodebalancer IP:
set_real_ip_from 192.168.255.0/24;
Step 3 –Restart nginx server
Use the systemctl command
sudo systemctl restart nginx
## or ##
sudo systemctl reload nginx
For Unix based system, try:
sudo nginx -s reload
Step 4 – Cloudflare helper scripts to deal with the Forwarded header for Nginx
Revers proxy service providers such as Cloudfront, Fastly, Cloudflare, and others have numerous IPv4 and IPv6 addresses/Classless inter-domain routing (CIDR). Typically they publish a list of all IPv4/IPv6, and we can script it out as per our need. Let us see how to automate it using Cloudflare.
Let us edit vdoamin file:
sudo vi /etc/nginx/vhosts.d/cyberciti.biz.conf
Append the following in server context:
include "/etc/nginx/vhosts.d/cloudflare.conf";
Save and close the file.
Create a shell script to fetch all Cloudflare IP address
sudo vi /root/bin/restoring-original-visitor-ips.sh
Append the following bash code:
#!/usr/bin/env bash # Purpose: Get user real ip in nginx behind Cloudflare reverse proxy # Author: Vivek Gite {https://www.cyberciti.biz} under GNU GPL v2.x+ # Call using Cron https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/ # ------------------------------------------------------------------- set -e # IP List IPv4="https://www.cloudflare.com/ips-v4" IPv6="https://www.cloudflare.com/ips-v6" # Nginx config file conf="/etc/nginx/vhosts.d/cloudflare.conf" # Path to nginx binary nginx_cmd="/usr/sbin/nginx" file="/tmp/ips.$$" # Get list wget -q "${IPv4}" -O -> "${file}" wget -q "${IPv6}" -O ->> "${file}" # Start building config file echo 'real_ip_header CF-Connecting-IP;' > "${conf}" while read i do echo "set_real_ip_from ${i};" >> "${conf}" done < "${file}" # Check for syntax error and reload the nginx ${nginx_cmd} -qt && ${nginx_cmd} -s reload # Clean up rm -f "${file}"
Set up daily or weekly Linux/Unix cron job
First, set up permission using the chmod command:
chmod +x /root/bin/restoring-original-visitor-ips.sh
Next create soft link with ln command so that everyday file gets updated:
sudo ln -v -s /root/bin/restoring-original-visitor-ips.sh /etc/cron.d/
Sample outputs:
'/etc/cron.d/restoring-original-visitor-ips.sh' -> '/root/bin/restoring-original-visitor-ips.sh'
To be honest weekly cron job is more than sufficient:
sudo ln -v -s /root/bin/restoring-original-visitor-ips.sh /etc/cron.weekly/
Test it
We are not going to wait for the cron job. So let us run our script manually:
sudo /etc/cron.d/restoring-original-visitor-ips.sh
Step 5 – Verification
Check your nginx log file and make sure real IP address logged using the tail command/cat command/ grep command :
tail -f /var/log/nginx/cyberciti.biz_access.log
Real ip address:
139.1.2.3 - - [07/May/2020:12:16:24 +0000] "GET / HTTP/1.1" 200 3032 "https://www.google.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" 142.2.3.4 - - [07/May/2020:12:16:25 +0000] "GET /style.css HTTP/1.1" 200 399 "https://www.cyberciti.biz/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" 1.2.3.4 - - [07/May/2020:12:16:25 +0000] "GET /images/logo.png HTTP/1.1" 200 34001 "https://www.cyberciti.biz/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"
Conclusion
In this tutorial, you learned how to retrieve actual client IP addresses and get the real IP address of visitors when your Nginx web server is behind a reverse proxy server. Further, you learned how to automate the process using a simple shell script for Nginx to restore a real IP address. See Nginx docs here for more info.
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
自制编程语言 基于C语言
郑钢 / 人民邮电出版社 / 2018-9-1 / CNY 89.00
本书是一本专门介绍自制编程语言的图书,书中深入浅出地讲述了如何开发一门编程语言,以及运行这门编程语言的虚拟机。本书主要内容包括:脚本语言的功能、词法分析器、类、对象、原生方法、自上而下算符优先、语法分析、语义分析、虚拟机、内建类、垃圾回收、命令行及调试等技术。 本书适合程序员阅读,也适合对编程语言原理感兴趣的计算机从业人员学习。一起来看看 《自制编程语言 基于C语言》 这本书的介绍吧!