Linux-多级代理实现客户端IP透传

设备:

客户端clent                    centos7     10.0.0.47

代理服务器proxy1          centos7    10.0.0.57          编译安装的nginx

代理服务器proxy2          centos8    10.0.0.8            yum安装的nginx

后端httpd服务器httpd     centos8    10.0.0.88          yum安装的httpd

 

1、设置proxy1 代理服务器 10.0.0.57

[root@proxy1 ~]#vim  /usr/local/nginx/conf/conf.d/pc.conf          #一级代理,可以在设置子配置文件设置以下配置
server {
  listen 80;
  server_name www.lyj.org;
  root /data/nginx/html/pc;
  proxy_set_header x-Forwarded-For $proxy_add_x_forwarded_for;     #更改或添加客户端的请求头部信息内容并转发至后端服务器
                                         #此变量表示将客户端IP追加请求报文中X-Forwarded-For首部字段, 在日志中显示
  location / {
    proxy_pass http://10.0.0.8;                                    ##用来设置将客户端请求转发给的后端服务器的主机
   }
}

加载配置文件

[root@proxy1 ~]#nginx -s reload

2、配置proxy2 代理服务器 10.0.0.8

二级代理的配置信息需要写进主配置文件。

(写在子配置文件中,触发不了文件调用  include /etc/nginx/conf.d/*.conf;)

 

 

 注释或删除原来的server 配置信息

[root@proxy2 ~]#vim /etc/nginx/nginx.conf
#    server {
#        listen       80 default_server;
#        listen       [::]:80 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.

#        location / {
#        }

#        error_page 404 /404.html;
#            location = /40x.html {
#        }

注释掉原有的server 的配置信息

写入代理配置

[root@proxy2 ~]#vim /etc/nginx/nginx.conf
 server {
    listen 80;
    server_name www.lyj.org;
    root /data/nginx/html/pc;
    proxy_set_header x-Forwarded-For $proxy_add_x_forwarded_for;
      location / {
      proxy_pass http://10.0.0.8;
      }
    }

 

后端httpd  web服务器   10.0.0.88

修改配置文件,设置日志访问记录IP透传

[root@httpd ~]#vim /etc/httpd/conf/httpd.conf

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{x-Forwarded-For}i\"" combined     #添加\"%{x-Forwarded-For}i\" 代理服务器中设置好的ip透传设置
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

设置测试页面

[root@httpd ~]#cat /var/www/html/index.html 
10.0.0.88 hostname-webserver

 

测试

为了更好的观察 代理服务器日志也开启IP透传的信息

proxy1 代理日志开启  10.0.0.57     编译安装的nginx

[root@proxy1 ~]#vim /usr/local/nginx/conf/nginx.conf

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '         #取消注释#符号,启动
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

proxy2 代理日志开启     10.0.0.8    yum安装的nginx

[root@proxy2 ~]#vim /etc/nginx/nginx.conf

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '    #取消注释#符号,启动
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

重新加载配置文件

nginx -s reload

客户端测试,查看日志状态

[root@client ~]#curl  www.lyj.org            #客户端访问正常,获取后端httpd服务的web界面
10.0.0.88 hostname-webserver
[root@client ~]#curl www.lyj.org
10.0.0.88 hostname-webserver
[root@client ~]#curl www.lyj.org
10.0.0.88 hostname-webserver
[root@client ~]#curl www.lyj.org
10.0.0.88 hostname-webserver
[root@client ~]#curl www.lyj.org
10.0.0.88 hostname-webserver

日志记录

proxy1

[root@proxy1 ~]#tail -f /usr/local/nginx/logs/access.log

10.0.0.47 - - [11/Jun/2022:13:11:33 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.29.0" "-"
10.0.0.47 - - [11/Jun/2022:13:11:51 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.29.0" "-"
10.0.0.47 - - [11/Jun/2022:13:11:52 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.29.0" "-"
10.0.0.47 - - [11/Jun/2022:13:11:53 +0800] "GET / HTTP/1.1" 200 29 "-" "curl/7.29.0" "-"

proxy

[root@proxy2 ~]#tail -f  /var/log/nginx/access.log

10.0.0.57 - - [11/Jun/2022:13:11:33 +0800] "GET / HTTP/1.0" 200 29 "-" "curl/7.29.0" "10.0.0.47"
10.0.0.57 - - [11/Jun/2022:13:11:51 +0800] "GET / HTTP/1.0" 200 29 "-" "curl/7.29.0" "10.0.0.47"
10.0.0.57 - - [11/Jun/2022:13:11:52 +0800] "GET / HTTP/1.0" 200 29 "-" "curl/7.29.0" "10.0.0.47"
10.0.0.57 - - [11/Jun/2022:13:11:53 +0800] "GET / HTTP/1.0" 200 29 "-" "curl/7.29.0" "10.0.0.47"     #代理添加的报文首部字段

httpd

[root@httpd ~]#tail -f /var/log/httpd/access_log
10.0.0.8 - - [11/Jun/2022:13:11:33 +0800] "GET / HTTP/1.0" 200 29 "-" "curl/7.29.0" "10.0.0.47, 10.0.0.57"
10.0.0.8 - - [11/Jun/2022:13:11:51 +0800] "GET / HTTP/1.0" 200 29 "-" "curl/7.29.0" "10.0.0.47, 10.0.0.57"
10.0.0.8 - - [11/Jun/2022:13:11:52 +0800] "GET / HTTP/1.0" 200 29 "-" "curl/7.29.0" "10.0.0.47, 10.0.0.57"
10.0.0.8 - - [11/Jun/2022:13:11:53 +0800] "GET / HTTP/1.0" 200 29 "-" "curl/7.29.0" "10.0.0.47, 10.0.0.57"  #代理服务器添加的报文首部字段  IP地址

 

posted @ 2022-06-11 13:19  goodbay说拜拜  阅读(531)  评论(0编辑  收藏  举报