负载均衡器和HTTP_X_FORWARDED_FOR之间有什么关系?
[英]What's the relation between load balancer and HTTP_X_FORWARDED_FOR?
问题描述
Here is my understanding of the user's IP: 
这是我对用户IP的理解:
User's IP is REMOTE_ADDR . 用户的IP是REMOTE_ADDR 。 But if the user is using a proxy (like HotSpotSheild (HSS)) or a chain of proxies, then REMOTE_ADDR is the address of the proxy (not user's IP) , and the user's IP might be in the other headers like these: 但是,如果用户使用的是代理服务器(例如HotSpotSheild(HSS))或代理链,则REMOTE_ADDR是代理服务器的地址(不是用户的IP) ,并且用户的IP可能在其他标头中,如下所示:
-
HTTP_CLIENT_IP -
HTTP_X_FORWARDED_FOR -
HTTP_X_FORWARDED -
HTTP_X_CLUSTER_CLIENT_IP -
HTTP_FORWARDED_FOR -
HTTP_FORWARDED - Or maybe none of them. 也许都不是。
So when an user uses the proxy, then he is undetectable. 因此,当用户使用代理时,便无法检测到他。
Question1: Always one of those headers (above) is full? 问题1:这些标头之一(上面)始终是满的吗? And are the rest empty? 剩下的是空的吗?
Question2: Is that a good idea that I store both REMOTE_ADDR and one of those header (which isn't empty) in different fields in the database? Question2:将REMOTE_ADDR和其中一个标头(不为空)存储在数据库的不同字段中是一个好主意吗? (I mean having two separated columns for the IP, not just one column) (我的意思是,IP有两列,而不仅仅是一列)
Here is my understanding of a load balancer: 这是我对负载均衡器的理解:
It is a reverse proxy server that you use when you're running a cluster of servers. 它是运行服务器集群时使用的反向代理服务器。 Clients connect to the load balancer, and it forwards the connection to one of the actual servers. 客户端连接到负载平衡器,然后它将连接转发到实际服务器之一。
Theory: 理论:
If you use a load balancer, use
HTTP_X_FORWARDED_FORas user's IP.HTTP_X_FORWARDED_FOR作为用户的IP。
Question3 Why should I store bHTTP_X_FORWARDED_FOR as the user's IP when there is a load balancer? Question3如果有负载平衡器,为什么我应该将bHTTP_X_FORWARDED_FOR存储为用户的IP? I mean what's bHTTP_X_FORWARDED_FOR to do with load balancer? 我的意思是说bHTTP_X_FORWARDED_FOR与负载均衡器有什么关系?
1 个解决方案
解决方案1
2 已采纳 2016-07-11 13:26:08
This is all about the notion of trust and specific implementation details. 这全部与信任的概念和特定的实现细节有关。
If your system trusts the proxy server (eg in a reverse-proxy situation), then you can trust the IP it passes onto you in one of those HTTP headers. 如果您的系统信任代理服务器(例如在反向代理情况下),那么您可以信任那些HTTP标头之一中传递给您的IP。
If there is no reasons to trust the proxy server (eg a random internet proxy such as Hotspot Shield), then your system has no idea whether the IP passed to you is simply made up or not. 如果没有理由信任代理服务器(例如,诸如Hotspot Shield之类的随机Internet代理),则您的系统不知道传递给您的IP是否是简单的。
You could have a whitelist of servers you trust based on REMOTE_ADDR , and if you get a connection from one of those then you use the IP in the HTTP header instead (although probably best to log both for completeness). 您可能有一个基于REMOTE_ADDR信任的服务器白名单,并且如果您从其中一个服务器获得连接,则可以使用HTTP标头中的IP代替(尽管出于完整性考虑,最好同时记录两者)。 You may also wish to expand this so certain headers are trusted to be supplied by certain remote proxies, otherwise there may be a security flaw where a user supplies their own header as well that manages to pass through the proxy unscathed. 您可能还希望扩展它,以便某些远程代理信任某些标头,否则可能存在安全漏洞,即用户提供自己的标头并设法毫发无损地通过代理。
Always one of those headers (above) is full?
Depends on the proxy and its software implementation. 取决于代理及其软件实现。
Is that a good idea that I store both REMOTE_ADDR and one of those header (which isn't empty) in different fields in the database?
Yes, there is no harm in storing both - they may be useful for any audit trails. 是的,两者都存储没有害处-它们对于任何审计跟踪都可能有用。
Why should I store bHTTP_X_FORWARDED_FOR as the user's IP when there is a load balancer?
Because your load balancer should be a trusted proxy, therefore you should be able to trust the IP it provides to you. 由于您的负载均衡器应该是受信任的代理,因此您应该能够信任它提供给您的IP。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.