This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Server configuration nginx obtains the user's real IP address
View: 17771|Reply: 1

[Web] nginx obtains the user's real IP address

[Copy link]
Posted on 5/19/2018 11:38:55 AM | | | |
Some of our interfaces involve changes in user information, and these interfaces only allow the access party to adjust us, so we have an IP whitelist on nginx.

It is equipped with the exit IP of the access party.

Here are the logs from our nginx access.



nginx takes our $remote_addr as the real IP, but in fact, $http_X_Forwarded_For is the real IP of the user, $remote_addr is just the private network address of our f5 (user -->f5 --> nginx), resulting in nginx taking the wrong name and the user adjusting the interface is always 403.

Solution:

In the http module plus


set_real_ip_from 10.10.10.122; Tell nginx to get the value of RealIP from there
real_ip_header X-Real-IP; The name of the variable that stores the RealIP value

Can!

Here we start the nginx report after adding:

nginx: [emerg] unknown directive "set_real_ip_from" in /home/lnidmp/nginx/conf/nginx.conf:26




So we add the realip module and recompile nginx


1、cd /usr/local/nginx-1.6.3
2、./configure --prefix=/usr/cmcc/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module
3、make && make install

Tips:
1. set_real_ip_from refers to the real user IP obtained from which trusted pre-proxy

2. real_ip_header refers to the user IP of the previous proxy transmission from which HTTP part of the received message is obtained

3. real_ip_recursive Whether to recursively exclude until the user IP is obtained (default is off)

First, real_ip_header specify an http header name, which is X-Real-IP by default.

(1) If there is 1 IP, it will check whether the sender's IP is in the trusted IP list specified by the set_real_ip_from. If it is trusted, it will think that the IP value in this X-Real-IP is the user's real IP value told by the former agent, so it will assign this value to its own $remote_addr variable; If it is not trusted, it will not be processed, and $remote_addr is still the sender's IP address.

(2) If X-Real-Ip has multiple IP values, for example, the previous proxy is set like this: proxy_set_header X-Real-Ip $proxy_add_x_forwarded_for;

What you get is a string of IPs, so the value of real_ip_recursive is crucial at this time. nginx will compare the IPs in the set_real_ip_from trust list from right to left in the IP list. If the real_ip_recursive is off, then when the rightmost IP is found to be a trusted IP, it is thought that the next IP (the second on the right) is the real IP of the user. If the real_ip_recursive is on, it will be compared from right to left until it finds a non-trusted IP. Then copy the IP value to $remote_addr as well.

Resources:
https://help.aliyun.com/document_detail/54007.html
https://help.aliyun.com/knowledge_detail/55198.html
https://www.linux178.com/web/nginx-get-realip.html





Previous:Discuz sitemaps are automatically generated
Next:Use Alibaba Cloud load balancing to block IP access to websites

Related Posts
Posted on 6/18/2018 2:57:50 PM |
Look, nginx gets the real IP
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com