After the website is configured with the Cloudflare proxy, how to configure the real client IP address obtained by Nginx?
This is a very simple question, how to get the real visitor IP address in the background? In order to avoid some malicious visitors, the website has to automatically analyze the client access information. For example, the same IP visits a thousand times a second. How can a normal person have such a fast hand speed? It is directly identified as the program. (Malicious attacks, crawlers, etc.), today I will share how to record the real IP address of the visitor in the log, and how to configure some simple restrictions to prevent excessive access frequency.
The method of obtaining the IP address in this article is only valid for the Cloudflare proxy. How to solve it for other proxies needs to read their official documents. The principle should be similar.
Next, I will share the specific configuration process, take everyone to understand the configuration process, and finally share with you the automated processing of Bash scripts, which will save you the time of writing scripts yourself.
Step 1: Obtain proxy IP segment information
Cloudflare provides the IP segments (ipv4/ipv6) of all its proxy hosts, we need to obtain these IP segments in advance to identify which accesses are sent to the server through Cloudflare.
The acquisition method provided by Cloudflare is as follows:
- IPv4 address segment: https://www.cloudflare.com/ips-v4
- IPv6 address segment: https://www.cloudflare.com/ips-v4
For example, we use the following command to get the ipv4 segment information:
$ curl https://www.cloudflare.com/ips-v4
173.245.48.0/20
103.21.244.0/22
....
131.0.72.0/22
If an IPv6 address segment is required, the method is the same.
Step 2: Generate nginx configuration information
The nginx configuration file supports modular import, so we only need to generate a configuration file from the Cloudflare configuration content separately, without additionally modifying other configuration files of nginx.
The corresponding configuration format of Nginx is as follows:
$ cat /etc/nginx/conf.d/cloudflare.conf
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
...
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header X-Forwarded-For;
Therefore, we can generate the corresponding configuration according to the above format. The last line to get the real IP address is the last line real_ip_header
. There are two methods as follows:
# real_ip_header CF-Connecting-IP;
real_ip_header X-Forwarded-For;
The format here X-Forwarded-For
is this:
X-Forwarded-For: client1, proxy1, proxy2
Among them client1
is the real visitor IP address, and proxy1
and proxy2
are the proxy forwarding nodes passing through in the middle. Here is a 匿名代理
knowledge point, briefly:
- Ordinary proxy: not anonymous, you can get the real IP address through the X-Forwarded-For field
- Highly anonymous proxy: X-Forwarded-For only contains the proxy server address, not the client address, so that it is impossible to know the real IP address of the visitor.
Step 3: Script automation generation configuration
Next, we write a script to automate the process of generating this configuration file, because Cloudflare's IP segment is updated regularly, and we also need to update this configuration regularly.
#!/usr/bin/env bash
# 功能: 生成 cloudflare 代理IP列表,用户配置nginx获取客户端真实IP地址
cf_ipv4="https://www.cloudflare.com/ips-v4"
cf_ipv6="https://www.cloudflare.com/ips-v6"
mod_cffile="/etc/nginx/conf.d/cloudflare.conf"
get_cfipinfo() {
# 生成nginx配置记录格式: set_real_ip_from 103.21.244.0/22;
curl $cf_ipv4 2>/dev/null | grep -v '#' | grep -v '^$' | sed 's/^/set_real_ip_from /g;s/$/;/g'
curl $cf_ipv6 2>/dev/null | grep -v '#' | grep -v '^$' | sed 's/^/set_real_ip_from /g;s/$/;/g'
echo
# echo "real_ip_header CF-Connecting-IP;"
echo "real_ip_header X-Forwarded-For;"
echo
}
get_cfipinfo | tee $mod_cffile
Once the script is in place, regular execution depends on cron
scheduling to help.
The following is a scheduling example (updated every month at 0:00 on the 15th):
# 更新 CF 代理IP段并重新加载nginx服务(nginx -t 检测配置正确了才会重新加载)
0 0 15 * * sh /path/to/you-script.sh >/dev/null 2>&1 && nginx -t && systemctl reload nginx
About nginx configuration
After all, everyone’s nginx service installation method and compilation options cannot be the same. Obtaining a real IP requires
http-real-ip
functional support. There are two options: obtain the installation package that supports this function or compile the source code yourself to obtain this functional support.
Question 1: How to judge your nginx
service support http-real-ip
function?
Execute the following command to judge:
$ nginx -V 2>&1 | grep -i http_realip_module
configure arguments: --prefix=/usr/ ...
--without-poll_module ... --with-http_v2_module `--with-http_realip_module` --with-http_addition_module ...
If it is carried in the detection compilation option --with-http_realip_module
, it means that the real client IP can be obtained.
Question 2: How does nginx.conf automatically recognize and take effect after cloudflare.conf is generated?
http
A configuration similar to the following can be found in the configuration block in nginx.conf :
http {
....
#gzip on;
include conf.d/*.conf;
# vhost servers
include vhosts.d/*.conf;
}
Among them, include conf.d/*.conf;
this line will automatically import conf.d
(reminder: your nginx may use other directories) *.conf
the file configuration at the end of the directory, and these configurations will apply to all web services currently running on nginx.
- Nginx Configuration Reference: Official Configuration Example
- Nginx source code address: Github source code or official source code address
at last
There are a lot of words introduced above, the purpose is to let everyone understand, it is inevitable that there will be some repetitions, friends who have already mastered it can ignore it.