1、获取真实的客户端IP
- 在这个实验中使用三台虚拟机:
server1作为Nginx服务器
server2作为server1的代理
server3作为客户端 - 在server2中修改Nginx配置文件配置反向代理:
[root@server2 nginx]# vim conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
upstream yang{
server 172.25.254.51:80; ##做172.25.254.51的反向代理
}
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name www.yang.org;
location / {
proxy_pass http://yang;
}
}
}
[root@server2 nginx]# nginx -t
[root@server2 nginx]# nginx -s reload
- 在server1中清空日志:
cd /usr/local/nginx/logs
> access.log #清空日志
- 在server3中添加解析并测试:
vim /etc/hosts
##写入
172.25.254.51 server1
172.25.254.52 server2 www.yang.org
172.25.254.53 server3
172.25.254.54 server4
测试:curl www.yang.org
显示server1
- 在server1中查看日志:
显示的 ip 是172.25.254.52
[root@server1 nginx]# cat logs/access.log
172.25.254.52 - - [27/Feb/2020:11:04:50 +0800] "GET / HTTP/1.0" 200 8 "-" "curl/7.29.0"
172.25.254.52 - - [27/Feb/2020:11:04:51 +0800] "GET / HTTP/1.0" 200 8 "-" "curl/7.29.0"
- 修改server1配置文件,获取真实客户端ip:
[root@server1 nginx]# vim conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name www.yang.org;
set_real_ip_from 172.25.254.52; ##从代理处获取真实ip
real_ip_header X-Forwarded-For; ##从http请求头中拿到数据
real_ip_recursive on;
location / {
root html;
index index.html index.htm;
}
location /download{
# limit_conn addr 1;
limit_rate 50k;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
[root@server1 nginx]# nginx -t
[root@server1 nginx]# nginx -s reload
注意: 在./configure
时必须有 --with-http_realip_module
这个模块
- 修改server2配置文件,获取真实客户端ip:
[root@server2 nginx]# vim conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
upstream yang{
server 172.25.254.51:80;
}
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name www.yang.org;
location / {
proxy_pass http://yang;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #从真实的请求头中拿到数据,真实后端才能保存下来
}
}
}
[root@server2 nginx]# nginx -t
[root@server2 nginx]# nginx -s reload
- 测试
[root@server3 sbin]# curl www.yang.org
server1
[root@server1 nginx]# cat logs/access.log
172.25.254.53 - - [27/Feb/2020:11:17:12 +0800] "GET / HTTP/1.0" 200 8 "-" "curl/7.29.0"
可以显示真实的客户端IP
2、HTTPS加密认证
Nginx可以设置 https 加密认证。当我们访问 http://www.yang.org
时,它会帮我们自动跳转到 https://www.yang.org
。
设定加密认证的步骤:
./configure --prefix=/usr/local/nginx --with-http_realip_module --with-http_image_filter_module=dynamic --with-http_ssl_module
- 修改server1配置文件:
[root@server1 nginx]# vim conf/nginx.conf
load_module modules/ngx_http_image_filter_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#limit_conn_zone $binary_remote_addr zone=addr:10m;
#limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name www.yang.org;
#set_real_ip_from 172.25.254.52;
#real_ip_header X-Forwarded-For;
#real_ip_recursive on;
location / {
root html;
index index.html index.htm;
}
location /download{
# limit_conn addr 1;
#limit_rate 50k;
image_filter resize 150 100;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name www.yang.org;
ssl_certificate cert.pem;
ssl_certificate_key cert.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root web;
index index.html index.htm;
}
}
}
- 生成证书:
cd /etc/pki/tls/certs/
make cert.pem ##分别键入国家、省会、城市、公司等信息
- 发送key:
cp cert.pem /usr/local/nginx/conf/
- 制作发布页面:
mkdir web
cd web/
vim index.html
##写入
https://server1.yang.org
- 重新启动Nginx:
nginx -t
nginx -s reload
- 测试:
访问https://www.yang.org/
,添加证书,可以正常访问,显示https://server1.yang.org