Article Directory
Before talking about reverse proxy, we once again review what is a proxy server and forward proxy.
A proxy server
Proxy server, when the client sends a request is not sent directly to the destination host, but first sent to the proxy server, the proxy server after receiving the client request, again sent by the host, the destination host and receives the returned data, stored in the agent server's hard disk, and then sent to the client.
for example: Acting just like life in the store - adidas guests to the store to buy a pair of shoes, this store is the agent, the agent role is adidas manufacturers, the goal is the role of the user.
1.1 Why use a proxy server?
(1) improve access speed:
Due to the destination host the data returned will be stored in the proxy server's hard disk, so the next time the customer site and then access the same data is read directly from the proxy server's hard disk, cache played a role, especially for popular sites can significantly speed up requests.
(2) the role of the firewall:
Since all client requests must access the remote site through a proxy server, so you can set limits on the proxy server, filtering some insecure information.
(3) access can not access the target site through a proxy server:
There are a lot of development on the Internet proxy server, client access is limited in time, can access the target site via a proxy server is not limited.
1.2 What is a forward proxy?
Located between the client and server origin server (origin server), in order to obtain content from a client a request to the origin server to send and targeting agent (origin server), and then transmit the request to the proxy server and the obtained original content returned to the client. The client can use the forward proxy.
Forward Acting on the word summary: Agent Agent is a client.
Forward Proxy best feature: The client is very clear you want to access server address; server only clear from the request which proxy server, but do not know which particular client from. ; Forward proxy mode mask or hide the true client information.
1.3 What is a reverse proxy?
Reverse proxy (Reverse Proxy) mode refers to the proxy server to accept connection requests on the internet, then the request, to the server on the internal network and the results returned from the server to client connection requests on the internet, At this point the external proxy server on the performance of a reverse proxy server.
Reverse proxy on the word summary: Agent proxy is the server.
For example: Almost everyone used Taobao, are connected to both the number of visitors every day Taobao station has burst table, a single server can not meet the people's growing desire to buy, and this time there have been a familiar term: distributed deployment; that is, the number of access restrictions to solve the problem by deploying multiple servers; Taobao station in most of the functionality is directly nginx reverse proxy to achieve, and by nginx after packaging and other components played a big on name: Tengine
the figure represents the users all over the country making the request in Taobao client, after Nginx reverse proxy server, then nginx server receives, according to certain rules distributed to the back-end business processing server for processing.
Features: Source client requests at this time is clear, but the specific requests handled by the server which is not clear.
Reverse proxy, mainly for the deployment of a distributed server clusters, the reverse proxy server hides information
Two, Nginx reverse proxy get real IP client
When we access the Internet-based services, when most clients are not directly accessible to the server, but the client first request to the reverse proxy, the reverse proxy server and then forwarded to the realization of service access.
As can be seen,nginx reverse proxy cross-domain but also completely change the source of the request to the server, the isolation of the connected user and the server, The server can not get the real client ip, only to get a reverse proxy services ip, then nginx how to get to the real ip it?
- Nginx use of realip module obtains the user's real ip. The layers proxy IP exclusion, you get to the real user IP, a module that can be used to achieve realip_module nginx proxy IP layer discarded from XFF specified in accordance with the rules is to obtain a user IP.nginx module of realip_module need to add parameters -with-http_realip_module when compiling the nginx.
2.1 with an analog implementation, access to the local server ip
1, into the unpacked directory,Add realip_module module, Recompile, make
./configure --prefix=/usr/local/nginx --with-file-aio --with-http_realip_module
nginx -V View the translation parameters
2、Add Virtual Host: vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name server1;
location / {
return 200;
}
}
3, open service and nginx test: 200 Description Hosting the ok successfully added (add the machine parsing)
4, when the detection is successful, we let him Respond to real ip
- == $ remote_addr: IP on behalf of the client, but its value is not provided by the client, but the server based on the client's ip specified, not the real client IP; == When you access a browser. when the site is assumed without any intermediate agents, then the site's web server (Nginx, Apache, etc.) will put remote_addr set your machine IP, if you use a proxy, then your browser will first access the proxy, and then forwarded by the agent to the site so that the web server will set the IP remote_addr this proxy machine ,, together forwarded to the web server unless your IP is attached to the request header in the proxy
server {
listen 80;
server_name server1;
location / {
return 200 "client real ip: $remote_addr\n";
}
}
5, smooth restart nginx, test again:
6、 Obtained from the X-Forwarded-For in the real client IP , Change the configuration file: vim /usr/local/nginx/conf/nginx.conf
- X-Forwarded-For: XFF short head, it represents the client, which is the HTTP requester real IPOnly when the HTTP proxy server or load balancer that will be added, as mentioned above, when you use a proxy, web server does not know your real IP, in order to avoid this situation, the proxy server will usually increase x_forwarded_for called header information, and connect it to the client IP (ie your Internet machine IP) added to the header information in order to assure that the site can get to the real web server IP.
- XFF的格式为X-Forwarded-For: client, proxy1, proxy2。 XFF 的内容由「英文逗号 + 空格」隔开的多个部分组成,最开始的是离服务端最远的设备 IP,然后是每一级代理设备的 IP(注意:如果未经严格处理,可以被伪造)。如果一个 HTTP 请求到达服务器之前,经过了三个代理 Proxy1、Proxy2、Proxy3,IP 分别为 IP1、IP2、IP3,用户真实 IP 为 IP0,那么按照 XFF 标准,服务端最终会收到以下信息X-Forwarded-For: IP0, IP1, IP2,Proxy3 直连服务器,它会给 XFF 追加 IP2,表示它是在帮 Proxy2 转发请求,列表中并没有 IP3,IP3 可以在服务端通过 Remote Address 字段获得。
server {
listen 80;
server_name server1; # 添加域名
set_real_ip_from 172.25.2.1; # 真实服务器上一级代理的IP地址或者IP段,可以写多行
real_ip_header X-Forwarded-For; # 告知Nginx真实客户端IP从哪个请求头获取
real_ip_recursive off; # 是否递归解析,off表示默认从最后一个地址开始解析;on表示从前往后依次递归获取ip
location / {
return 200 "client real ip: $remote_addr\n";
}
}
7、平滑重启nginx,再次测试:curl -H “X-Forwarded-For:1.1.1.1,172.25.2.1” server1
当配置文件里的参数 real_ip_recursive 为off 时:
- real_ip_recursive :是否递归解析,off表示默认从最后一个地址开始解析;on表示从前往后依次递归获取ip
配置文件里的参数 real_ip_recursive 为on 时:
2.2 配置真正的反向代理服务器
实验环境
| 主机信息 | 主机的功能(服务) |
|---|---|
| server1(172.25.2.1) | 后端服务器 (nginx+http_realip_module ) |
| server2(172.25.2.2) | 反向代理服务器 |
| 真机(172.25.2.250) | 用作客户端测试 |
1、在server1上面进行配置,修改nginx服务器默认发布页面的内容
2、修改配置文件,添加内容
3、进行语法检测,重启服务
4、将server1上编译好的nginx的目录发送给server2
5、在server2(代理服务器)上面进行配置,代理服务器的配置参考官网
6, write a configuration file on the proxy server server2
7, server2 above delete proxy web resources
8, be tested in a real machine above, write parsing
9, you can see domain names corresponding IP server2 is the host, but the access to the content of the release is server1 page
Viewing the Access Log on server1: /usr/local/nginx/logs/access.logyou can see the nginx server can get directly to the client's ip.
Comment out the two rows of nginx server, access to the proxy server ip is ip
Viewing the Access Log on server1: /usr/local/nginx/logs/access.logyou can see the nginx server to get the ip ip proxy server.
