haproxy后面的nginx静态html ssl获取真实IP地址
[英]nginx behind haproxy to static html ssl getting real IP address
问题描述
My problem is getting the "real" IP address from the web at nginx level serving a static vuejs site via ssl.
我的问题是从 nginx 级别的网络获取“真实”IP 地址,通过 ssl 为静态 vuejs 站点提供服务。
I want to block certain IP addresses, how can I get the real IP address if I can't use proxy pass, since I only link to a static location?我想屏蔽某些IP地址,如果我不能使用代理通行证,我如何获得真实的IP地址,因为我只链接到一个静态位置?
haproxy (tcp) (port: 443) ==> encrypted request ==> nginx (port: 8085) request pass to ==> '/' location getting real IP for range blocking. haproxy (tcp) (端口: 443) ==> 加密请求 ==> nginx (端口: 8085) 请求传递到 ==> '/' 位置获取用于范围阻塞的真实 IP。
Please also see questions/comments in the nginx vhost file.另请参阅 nginx vhost 文件中的问题/评论。 Am I on the right track here or does this need to be done entirely differently?我在这里是在正确的轨道上还是需要以完全不同的方式完成?
haproxy setup: haproxy 设置:
frontend ssl_front_433 xx.xx.xx.xx:443
mode tcp
option tcplog
use_backend ssl_nginx_backend_8085
backend ssl_nginx_backend_8085
mode tcp
balance roundrobin
option tcp-check
server srv-2 127.0.0.1:8085 check fall 3 rise 2 inter 4s
nginx setup: nginx设置:
server {
listen 8085 ssl;
server_name mydomain;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
ssl_certificate ./fullchain.pem;
ssl_certificate_key ./privkey.pem;
include include.d/ssl.conf;
// I want to only allow certain ip addresses
// haproxy of course always returns 127.0.0.1 thus this is not working
include include.d/ip_range.conf;
location / {
//how to get the proxy headers to be applied here?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
// do I need a proxy pass and if so where should I pass to,
// in order to use it with static html/js?
// can I use an upstream to a static location?
//proxy_pass http://;
try_files $uri $uri/ /index.html;
}
}
1 个解决方案
解决方案1
-1 2019-11-27 20:02:57
On the nginx side you can control which IP addresses or ranges are permitted with a deny all and an allow range to your server block like so:在 nginx 方面,您可以使用deny all和allow范围来控制允许哪些 IP 地址或范围到您的服务器块,如下所示:
allow 192.168.1.0/24;
deny all;
Note: The nginx docs are always an excellent place to start, here's the docs for restricting access by IP addresses and ranges.注意:nginx 文档始终是一个很好的起点,这里是通过 IP 地址和范围限制访问的文档。
First, I would challenge you to reconsider why you need a load balancer with haproxy for something as simple as a html/css/js static site.首先,我会挑战你重新考虑为什么你需要一个带有 haproxy 的负载均衡器来处理像 html/css/js 静态站点这样简单的事情。 More infrastructure introduces more complications.更多的基础设施引入了更多的复杂性。
Second, the upstream in nginx is only needed if you want to point requests to a local wsgi server for example, in your case this is static content so you shouldn't need to point to an upstream – not unless you have some sort of wsgi service you want to forward requests to.其次,仅当您想将请求指向本地 wsgi 服务器时才需要 nginx 中的上游,例如,在您的情况下,这是静态内容,因此您不需要指向上游 - 除非您有某种 wsgi要将请求转发到的服务。
Finally, as for haproxy only forwarding requests as 127.0.0.1, first make sure the IP is in the header (ie X-Real-IP ) then you can try to add something like this to your haproxy config ( source ), if you indeed want to keep haproxy:最后,对于 haproxy 仅将请求转发为 127.0.0.1,首先确保 IP 位于标头中(即X-Real-IP ),然后您可以尝试将类似的内容添加到您的 haproxy 配置( 源)中,如果您确实如此想要保持haproxy:
frontend all_https
option forwardfor header X-Real-IP
http-request set-header X-Real-IP %[src]
The haproxy documentation is also a good resource for preserving source IP addresses . haproxy 文档也是保存源 IP 地址的好资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.