nginx多层反向代理获取客户端真实ip

访问路径：用户 --> (nginx反向代理) --> (nginx反向代理) --> python服务端程序经过多层代理第一层代理：# cat /usr/local/nginx/conf/vhost.d/.conf server {listen 80;server_name;access_log/data/www/logs/nginx_log/access/_access.log main ;error_log /data/www/logs/nginx_log/error/_error.log ;#root /data/www/vhosts//httpdocs ;index index.html index.shtml index.php ;#include rewrite.d/.conf ;error_page 404 403 /404.html; rewrite ^/(.*)$ /$1 permanent; #跳转到Httpslocation /favicon.ico{proxy_pass ; }location ~ ^/(middle|app|files|static|back)/ {proxy_set_header Host $host;proxy_set_header X-Real-Ip $remote_addr;proxy_cookie_domain ;proxy_pass ; }location /cn {rewrite ^/cn/(.*) /$1 permanent;}#注释原来的location#location / {#proxy_cookie_domain ;# proxy_pass /cn/; #}#开启新的配置location / {if (-d $request_filename){rewrite (.*) $1 break;}if (-f $request_filename.html){rewrite (.*) $1.html break;}try_files $uri /index.html @404;}}server {listen 443;server_name ;ssl on; ssl_certificate /usr/local/nginx/cert/geo-.crt;ssl_certificate_key/usr/local/nginx/cert/geo-.key;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; ssl_prefer_server_ciphers on;ssl_session_timeout 10m;access_log/data/www/logs/nginx_log/access/_access.log main ;error_log /data/www/logs/nginx_log/error/_error.log ;root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle/templates/cn;index index.html index.shtml index.php ;#include rewrite.d/.conf ;error_page 404 403 /404.html;location /favicon.ico{proxy_set_header Host $host;proxy_set_header X-Real-Ip $remote_addr;proxy_set_header X-Forwarded-For $remote_addr; proxy_pass ; }location ~ ^/(middle|app|files|back)/ {proxy_set_header Host $host;proxy_set_header X-Real-Ip $remote_addr;proxy_set_header X-Forwarded-For $remote_addr; proxy_cookie_domain ;proxy_pass ; }location /cn {rewrite ^/cn/(.*) /$1 permanent;}location /static {root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle;}#注释原来的location#location / {# proxy_cookie_domain ;# proxy_pass /cn/; #}#开启新的配置location / {if (-d $request_filename){rewrite (.*) $1 break;}if (-f $request_filename.html){rewrite (.*) $1.html break;}try_files $uri /index.html @404;}}第二层代理：[server02:~]# more /usr/local/nginx/conf/vhost.d/.conf server {listen 80;server_name ;access_log/data/www/logs/nginx_log/access/_access.log main ;error_log /data/www/logs/nginx_log/error/_error.log;root /data/www/vhosts/chinasoft/chinasoft_web/web;index index.html index.php ;include rewrite.d/.conf ;error_page 404 403 /404.html; location ^~ /middle/file/test-oss-callback {proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header REMOTE-HOST $remote_addr;proxy_set_header HTTP_AUTHORIZATION $http_authorization;proxy_pass_header Server;proxy_redirect off;proxy_pass http://1.1.1.1:7980/middle/file/oss-callback; }rewrite ^/(.*)$ /$1 permanent; #跳转到Https}server {listen 443;server_name;ssl on; ssl_certificate /usr/local/nginx/conf/cert/chinasoft_com.crt; ssl_certificate_key/usr/local/nginx/conf/cert/chinasoft_com.key; ssl_dhparam /usr/local/nginx/conf/cert/dh_2048.pem;ssl_session_timeout5m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; ssl_prefer_server_ciphers on;gzip on;gzip_min_length 1k;gzip_buffers 4 16k;gzip_comp_level 5;gzip_types text/plain application/x-javascript text/css application/xml text/javascript;access_log/data/www/logs/nginx_log/access/_access.log main ;error_log /data/www/logs/nginx_log/error/_error.log ;root /data/www/vhosts/chinasoft/chinasoft_web/web;index index.html index.php ;include rewrite.d/.conf ;error_page 404 @error404;location /cn { include rewrite.d/.conf ; }location @error404 {rewrite ^/(fr|de|it|es|pt|nl|hi|jp|ru|kr|id|ar|cn) /$1/404.html last;rewrite ^ /404.html last;}location ~ /(fr|de|it|es|pt|nl|hi|jp|ru|kr|id|ar|vn|tr|th|ro|zh-tw|cn)$ {rewrite ^/(.*)$ /$1/ permanent;}location ^~ /middle/file/test-oss-callback {proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header REMOTE-HOST $remote_addr;proxy_set_header HTTP_AUTHORIZATION $http_authorization;proxy_pass_header Server;proxy_redirect off;proxy_pass http://127.0.0.1:7980/middle/file/test-oss-callback; }location ~ ^/(middle|app)/ {#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#proxy_set_header REMOTE-HOST $remote_addr;#proxy_set_header HTTP_AUTHORIZATION $http_authorization;#proxy_pass_header Server;proxy_set_header Host $host;proxy_set_header X-Real-Ip $remote_addr;proxy_set_header X-Forwarded-For $remote_addr;expires 1d;include proxy_params;if (!-d $request_filename){set $flag 1$flag;}if (!-f $request_filename){set $flag 2$flag;}if ($flag = "21"){rewrite ^(.*)$ /index.php last;}}location ~ \.php$ { #fastcgi_pass 127.0.0.1:9000;fastcgi_pass unix:/tmp/php-cgi.sock;fastcgi_index index.php;fastcgi_read_timeout 600;fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;include fastcgi_params;expires -1;}location /static {root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle;}location / {#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#proxy_set_header REMOTE-HOST $remote_addr;#proxy_set_header HTTP_AUTHORIZATION $http_authorization;#proxy_pass_header Server;proxy_set_header Host $host;proxy_set_header X-Real-Ip $remote_addr;proxy_set_header X-Forwarded-For $remote_addr;expires -10d;add_header Cache-Control no-cache;root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle/templates;index index.html;if (-d $request_filename){rewrite (.*) $1 break;}if (!-f $request_filename){rewrite (.*) $1.html break;}try_files $uri /index.html @error404;}}nginx多层代理获取客户端的真实ip总结：1、编译Nginx时，添加http_realip_module模块2、在nginx.conf文件中proxy_pass xxxxxx添加下面三行proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;3、在每一层nginx日志中的打印的"$http_x_forwarded_for"就是真实客户端的ip地址。4、后台服务器获取真实的客户端ip地址：headers中的X-Forwarded-For选项中逗号前第一个ip就是真实客户端ip日志中获取真实ip: $http_x_forwarded_for 就是获取真实ip的变量log_format main '$remote_addr $http_x_forwarded_for - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time ';

# more /usr/local/nginx/conf/rewrite.d/.conf

if ($request_uri ~ ^/(.*)/(index|indice).(html)) { rewrite ^/(.*)/(index|indice).(html) /$1 permanent;}