nginx configuration gets the real ip of the client

Scene description:

Access path: A machine -> B machine -> C virtual machine:

Machine A is the client user, and the local address is 192.168.0.110

Machine B is the server-side reverse proxy server. The local address is 192.168.0.128 –> (192.168.56.1)

Machine C is a Linux virtual machine installed on host B, and nginx is installed. The local IP is **(192.168.56.10)**

This reflects the benefits of reverse proxy from the side. It is not possible to access C directly from A, but by setting up a reverse proxy in B, you can access it, protecting the address of the server. And cannot expose C’s ip to client A

Note: Due to the use of virtual machines in B and C, the gateway IP of the virtual machine is 192.168.56.1, so the upper layer IP obtained on the C side is 192.168.56.1

Purpose: Get the IP address of A on machine C and output the log client’s real IP address as 192.168.0.110

nginx configuration of machine B: (first-layer proxy)

 location /bb/ {

            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;

            proxy_pass http://192.168.56.10/cc/;
       }

The header is set for the request in nginx in B. X-Real-IP and X-Forwarded-For

The value obtained by X-Real-IP is $remot{e}_{a}ddr,\; and$ remote_addr is the IP address of client A that is directly connected to host B.

The value obtained by X-Forwarded-For is multiple values ​​separated by commas, mainly including the value of the client's X-Forwarded-For and the value of $remote_addr. The two parts are separated by commas.

So at this time, the X-Real-IP is 192.168.0.110 and the X-Forwarded-For is 192.168.0.110. At this time, the client does not actively transmit the X-Forwarded-For header.

• proxy_set_header X-Real-IP $remote_addr;The function of this sentence is to assign the client's IP address to the X-Real-IP request header. The $remote_addr variable represents the IP address of the client or proxy server directly connected to the nginx server. This sentence is generally used for the first-tier proxy server so that subsequent proxy servers can obtain the client's IP address.
• proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;The function of this sentence is to separate the X-Forwarded-For and remoteaddr parts in the client request header with commas and assign them to the X − F orwarded − F or request header. The two parts of remote_addr are separated by commas and assigned to X- Forwarded- $remot{e}_{a}Separate\; the\; two\; parts\; of\; ddrwith\; commas\; and\; assign\; them\; toX-Forwarded-Forrequestheader,$ the proxy_add_x_forwarded_for variable represents the X-Forwarded-For and $remote_addr parts in the client request header. This sentence is generally used for non-first-level proxy servers, so that the IP addresses of the client and all proxy servers passing through are recorded.

Log-format output by nginx in C

   log_format main '$http_x_forwarded_for|$realip_remote_addr|$http_x_real_ip|$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" '
                    '$upstream_addr $request_time $upstream_response_time ';

Configuration of nginx in C

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    proxy_set_header        X-Real-IP       $remote_addr; 
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
 #   real_ip_header X-Forwarded-For;
 #   set_real_ip_from 192.168.56.1;
 #   real_ip_recursive on;
}

In this layer, X-Real-IP obtains the address of the upper-layer proxy, which is 192.168.56.1

X-Forwarded-For is the address of the upper two layers? : 192.168.0.110, 192.168.56.1 (This layer actually only has one value or 192.168.0.110, and these two values ​​​​are in the next layer. There is some ambiguity here. The reason is that this layer has not spliced ​​the values ​​obtained by this layer after receiving the value. The address of the upper layer. This layer is only in the state of being sent. proxy_set_header 56.1 )

So the value printed in the output log in c is

192.168.0.110|192.168.56.1|192.168.0.110|192.168.56.1 - - [15/Sep/2023:02:32:43 +0000] "GET /cc/ HTTP/1.0" 200 15539 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" "192.168.0.110" 123.121.155.167:16002 0.326 0.326

If I use nginx’s own module realip to fix another layer, focus on observing the value of $remote_addr

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    proxy_set_header        X-Real-IP       $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    real_ip_header X-Forwarded-For;
    set_real_ip_from 192.168.56.1;
    real_ip_recursive on;
}

If I change the configuration to this, let's look at the log output again

192.168.0.110|192.168.56.1|192.168.0.110|192.168.0.110 - - [15/Sep/2023:02:46:38 +0000] "GET /cc/ HTTP/1.0" 200 15539 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" "192.168.0.110" 123.121.155.167:16002 0.796 0.796

The above description is only a two-layer proxy. In order to test the value of X-Forwarded-For, we set up a three-layer proxy.

A -》B-》c-》d

A：192.168.0.110 B:192.168.0.104 C：192.168.0.128（192.168.56.1） D：192.168.56.10

B nginx configuration:

location /testIp/ {
            # set $current-X-Fowarded-for X-Forwarded-For 
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_pass http://192.168.0.128:6666/testIp/;
       }

C nginx configuration:

 location /testIp/ {
            # set $current-X-Fowarded-for X-Forwarded-For 
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://192.168.56.10/testIp/;
       }

D nginx configuration:

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    proxy_set_header        X-Real-IP       $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
   # real_ip_header X-Forwarded-For;
   #  set_real_ip_from 192.168.56.1;
   #  real_ip_recursive on;
   .....
        
        localtion /testIp/ {
            porxy_pass  http://666.com
         }
   }

nginx log in D

192.168.0.110, 192.168.0.104|192.168.56.1|192.168.0.104|192.168.56.1 - - [15/Sep/2023:03:26:30 +0000] "GET /testIp/ HTTP/1.0" 200 15539 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" "192.168.0.110, 192.168.0.104" 192.168.0.104:82 0.299 0.299

192.168.0.110, 192.168.0.104 are the output X-forwarded-for values.

   real_ip_header X-Forwarded-For;
   set_real_ip_from 192.168.56.1;
   real_ip_recursive on;

These three values ​​​​are generally added to the last D. In order to set the credit ip to the value of the upper remot_addr,

• set_real_ip_from: used to set the trusted IP, that is, the IP in the request header that nginx considers to be trusted. Usually it is the IP of the first few layers of proxies.
• real_ip_header: Used to tell nginx which request header field to obtain the client's real IP. Usually X-Forwarded-For or X-Real-IP.
• real_ip_recursive: used to control how nginx obtains one of multiple IPs from the request header field. When the value is on, nginx will exclude trusted IPs from right to left and take the last untrusted IP as the client's real IP.

For example, if you want to get the client's real IP from the X-Forwarded-For field and trust the IP 192.168.56.1, you can add the following code in location:

location /test {
    proxy_pass http://backend;
    real_ip_header X-Forwarded-For;
    set_real_ip_from 192.168.56.1;
    real_ip_recursive on;
}

In this way, nginx will assign the last non-192.168.56.1 IP in the X-Forwarded-For field to the $remote_addr variable as the real IP of the client.

A summary of nginx getting the real IP of the client

• For first-level proxy servers, use proxy_set_header X-Forwarded-For $remote_addr;to assign the client IP to the X-Forwarded-For request header
• For non-first-tier proxy servers, use to proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;separate the X-Forwarded-For and $remote_addr parts in the client request header with commas and assign them to the X-Forwarded-For request header
  ursive on;
  }
  In this way, nginx will The last IP in the -Forwarded-For field that is not 192.168.56.1 is assigned to the $remote_addr variable as the real IP of the client.

A summary of nginx getting the real IP of the client

For first-level proxy servers, use proxy_set_header X-Forwarded-For $remote_addr;to assign the client IP to the X-Forwarded-For request header

• For non-first-level proxy servers, use proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;to separate the X-Forwarded-For and $remote_addr parts in the client request header with commas and assign them to the X-Forwarded-For request header.
• If there are multiple layers of proxy servers, you can use nginx's realip module to discard the specified trusted IP from XFF to obtain the user's real IP.