haproxy- IP透传

最新推荐文章于 2024-08-17 19:04:11 发布

BLEACH－heiqiyihu

最新推荐文章于 2024-08-17 19:04:11 发布

阅读量786

点赞数 22

分类专栏：云原生文章标签： tcp/ip 网络协议网络

本文链接：https://blog.csdn.net/Wu16338/article/details/141124318

版权

云原生专栏收录该内容

6 篇文章 0 订阅

订阅专栏

web服务器中需要记录客户端的真实IP地址，用于做访问统计、安全防护、行为分析、区域排行等场景。

一：七层IP透传

1.1：当未开启透传

mode中使用http为七层，属于七层透传

[root@localhost ~]# vim /etc/haproxy/haproxy.cfg

关闭透传功能

重启服务

[root@localhost ~]# systemctl restart haproxy.service

使用window终端进行访问主机ip地址（172.25.254.129）

[root@localhost ~]# curl 172.25.254.129

在172.25.254.10上可以查看访问日志

[root@localhost ~]# cat /var/log/nginx/access.log

在此日志中是无法看到真实访问源地址的

[root@localhost ~]# cat  /var/log/nginx/access.log
172.25.254.129 - - [12/Aug/2024:10:50:09 +0800] "GET / HTTP/1.1" xx0 16 "-" "Mozilla/5.0 (Windows NT; Windows NT 10.0; zh-CN) WindowsPowerShell/x" "-"
172.25.254.129 - - [12/Aug/2024:10:50:17 +0800] "GET / HTTP/1.1" xx0 16 "-" "Mozilla/5.0 (Windows NT; Windows NT 10.0; zh-CN) WindowsPowerShell/x" "-"

1.2：开启透传

再次使用window终端进行访问主机ip地址（172.25.254.129）

在172.25.254.10上可以查看访问日志

[root@localhost ~]# cat /var/log/nginx/access.log

172.25.254.129 - - [12/Aug/2024:10:50:09 +0800] "GET / HTTP/1.1" xx0 16 "-" "Mozilla/5.0 (Windows NT; Windows NT 10.0; zh-CN) WindowsPowerShell/x" "-"
172.25.254.129 - - [12/Aug/2024:10:50:17 +0800] "GET / HTTP/1.1" xx0 16 "-" "Mozilla/5.0 (Windows NT; Windows NT 10.0; zh-CN) WindowsPowerShell/x" "-"
172.25.254.129 - - [12/Aug/2024:10:50:17 +0800] "GET / HTTP/1.1" xx0 16 "-" "Mozilla/5.0 (Windows NT; Windows NT 10.0; zh-CN) WindowsPowerShell/x" "172.25.254.1"

客户端（172.25.254.10）安装阿帕奇，在访问日志中通过变量$proxy_protocol_addr 记录透传过来的客户端IP

开启服务

[root@localhost ~]# systemctl restart httpd.service
给予测试页

[root@localhost ~]# echo webserver1 - 172.25.254.10 > /var/www/html/index.html

再次使用window终端进行访问主机ip地址（172.25.254.129）

在172.25.254.10上可以查看访问日志

[root@localhost ~]# cat /var/log/nginx/access.log

172.25.254.129 - - [12/Aug/2024:10:50:09 +0800] "GET / HTTP/1.1" xx0 16 "-" "Mozilla/5.0 (Windows NT; Windows NT 10.0; zh-CN) WindowsPowerShell/x" "-"
172.25.254.129 - - [12/Aug/2024:10:50:17 +0800] "GET / HTTP/1.1" xx0 16 "-" "Mozilla/5.0 (Windows NT; Windows NT 10.0; zh-CN) WindowsPowerShell/x" "-"
172.25.254.129 - - [12/Aug/2024:10:50:17 +0800] "GET / HTTP/1.1" xx0 16 "-" "Mozilla/5.0 (Windows NT; Windows NT 10.0; zh-CN) WindowsPowerShell/x" "172.25.254.1"

发现没有新的日志产生

在172.25.254.10上进入配置文件，插入%{X-Forwarded-For}i

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf

重新启动

[root@localhost ~]# systemctl restart httpd.service
查看日志如下：

[root@rs1 ~]# tail -n 3 /var/log/nginx/access.log
"172.25.254.10, 192.168.0.10" 192.168.0.10 - - [10/Jul/2024:16:15:00 +0800] "GET
/ HTTP/1.1"200 18 "-" "curl/7.29.0" "172.25.254.10"

[root@rs2 ~]# tail -n 3 /etc/httpd/logs/access_log
172.25.254.10 192.168.0.10 - - [11/Jul/2024:00:15:00 +0800] "GET / HTTP/1.1" 200
27 "-" "curl/7.29.0"

二：四层IP透传

将mode中的http改为tcp

[root@localhost ~]# vim /etc/haproxy/haproxy.cfg

加上限定参数：send-porxy

重新启动服务

[root@localhost ~]# systemctl restart haproxy

[root@localhost ~]# vim /etc/nginx/nginx.conf

192.168.0.10 - - [10/Jul/2024:15:21:00 +0800] "GET / HTTP/1.1"200 18 "-"
"curl/7.29.0" "-"
192.168.0.10 - - [10/Jul/2024:15:26:11 +0800] "GET / HTTP/1.1"200 18 "-"
"curl/7.29.0" "-"
192.168.0.10 - - [10/Jul/2024:15:41:56 +0800] "GET / HTTP/1.1" "172.25.254.10"200
18 "-" "curl/7.29.0"

重新启动服务

[root@localhost ~]# systemctl restart nginx.service
查看日志内容

192.168.0.10 - - [10/Jul/2024:15:21:00 +0800] "GET / HTTP/1.1"200 18 "-"
"curl/7.29.0" "-"
192.168.0.10 - - [10/Jul/2024:15:26:11 +0800] "GET / HTTP/1.1"200 18 "-"
"curl/7.29.0" "-"
192.168.0.10 - - [10/Jul/2024:15:41:56 +0800] "GET / HTTP/1.1" "172.25.254.10"200
18 "-" "curl/7.29.0"