【nginx】配置x-forwarded-for 頭部
本地用tomcat起了一個j2ee的應用,然後又起了一個nginx做反向代理。
nginx.conf:
#user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 50001; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } location /ly { proxy_pass http://127.0.0.1:8080/hello.do; proxy_set_header Host $host; proxy_set_header X-real-ip $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } include servers/*; }
這裡配置了nginx的監聽埠為50001。使用了proxy_set_header來配置nginx轉發的頭部操作。其中如下配置就是針對xff的:
其中$proxy_add_x_forwarded_for變數的值是當前包的x-forwarded-for變數和remote-addr變數,使用逗號隔開。所以上面的命令就是把當前的包的x-forwarded-for的值設定為x-forwarded-for和remote-addr的連線。這樣這個包轉發給下游時,下游就有了這臺nginx伺服器的ip地址。
當client第一次請求nginx伺服器時,nginx拿到的x-forwarded-for為null,remote-addr就是client的實際地址,所以第一次的轉發的xff值就只有client的ip地址,轉發的nginx的地址是在remote-addr裡。下一臺nginx伺服器會把第一臺nginx伺服器的地址填入xff。所以當一臺伺服器收到一個包時,上一臺伺服器的地址並不在xff裡面,必須通過remote-addr拿到。
Controller:
public class MainController extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.println("NGINX FORWARD"); String ssfAddr = request.getHeader("X-Forwarded-For"); String realIp = request.getHeader("X-Real-IP"); String remoteAddr = request.getRemoteAddr(); System.out.println("X-Forwarded-For: " + ssfAddr); System.out.println("X-Real-IP: " + realIp); System.out.println("remoteAddr: " + remoteAddr); } }
本地ip為192.168.43.33。
然後我先使用了手機訪問了nginx域名:192.168.43.33:50001/ly
顯示:
X-Forwarded-For: 192.168.43.1
X-Real-IP: 192.168.43.1
remoteAddr: 127.0.0.1
這裡192.168.43.1是手機的ip,127.0.0.1是nginx的ip。且通過x-real-ip可以獲取到真實ip。
在使用一個crul命令:
curl http://localhost:50001/ly -H 'X-Forwarded-For: unkonw, <8.8.8.8> 1.1.1.1' -H 'X-Real-IP: 2.2.2.2'
顯示:
X-Forwarded-For: unkonw, <8.8.8.8> 1.1.1.1, 127.0.0.1
X-Real-IP: 127.0.0.1
remoteAddr: 127.0.0.1
這裡客戶端就是本機,所以會在xff後面新增一個127.0.0.1。也是符合預期的。