七层IP透传测试
原理同nginx通过配置将客户端ip添加到 xforwordefor 请求头中,具体如下:
global
log 127.0.0.1 local3 info
chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
maxconn 65530
user haproxy
group haproxy
daemon
defaults
log global
log 127.0.0.1 local3 info
mode http
option httplog
option dontlognull
option httpclose
# option forwardfor
retries 3
maxconn 65530
timeout http-request 10s
timeout queue 1m
timeout connect 60s
timeout client 2m
timeout server 2m
timeout http-keep-alive 10s
timeout check 10s
frontend frontend_http
bind *:80
option tcplog
option forwardfor
mode http
default_backend backend_http
backend backend_http
mode http
balance roundrobin
server emqx_node_1 192.168.47.11:8080 check
server emqx_node_2 192.168.47.12:8080 check
frontend frontend_https
bind *:443
option tcplog
mode tcp
default_backend backend_https
backend backend_https
mode tcp
balance roundrobin
server emqx_node_3 192.168.47.11:8443 check
server emqx_node_4 192.168.47.12:8443 check
listen haproxy_status
bind *:9800
mode http
option httplog
maxconn 200
stats refresh 120s
log 127.0.0.1 local0 err
stats uri /haproxy-status
stats realm welcome login\haproxy
stats auth admin:123456
stats hide-version
stats admin if TRUE
# 测试 针对 http 的请求 增加了 option forwardfor 支持 forwardfor 发现 客户端ip被添加到了 xforwardfor 请求头中
# 四层
IP透传测试
haproxy四层透传ip实现方式 是通过支持proxy-protocal 协议来实现,拿到四层流量后将客户端ip信息写入到数据包中,后端服务也必须支持proxy-protocal ,否则会报错。测试如下:
haproxy 配置如下:
global
log 127.0.0.1 local3 info
chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
maxconn 65530
user haproxy
group haproxy
daemon
defaults
log global
log 127.0.0.1 local3 info
mode http
option httplog
option dontlognull
option httpclose
# option forwardfor
retries 3
maxconn 65530
timeout http-request 10s
timeout queue 1m
timeout connect 60s
timeout client 2m
timeout server 2m
timeout http-keep-alive 10s
timeout check 10s
frontend frontend_http
bind *:80
option tcplog
option forwardfor
mode http
default_backend backend_http
backend backend_http
mode http
balance roundrobin
server emqx_node_1 192.168.47.11:8080 check
server emqx_node_2 192.168.47.12:8080 check
frontend frontend_https
bind *:443
option tcplog
mode tcp
default_backend backend_https
backend backend_https
mode tcp
balance roundrobin
# server emqx_node_3 192.168.47.11:8443 send-proxy check
#server emqx_node_4 192.168.47.12:8443 check
server emqx_node_5 192.168.47.10:808 send-proxy check --四层在代理服务器后 增加 send-proxy 配置
listen haproxy_status
bind *:9800
mode http
option httplog
maxconn 200
stats refresh 120s
log 127.0.0.1 local0 err
stats uri /haproxy-status
stats realm welcome login\haproxy
stats auth admin:123456
stats hide-version
stats admin if TRUE
重新启动haproxy 服务
# 可以看到请求头中
# 备注 :
nginx 支持 proxy_protocal,因此后端服务器我们使用nginx,tomcat 不支持 如果后端服务器是tomcat 那么代理会不成功,tomcat读取请求包会报错。
nginx 安装 需要带有 realip等模块如下:–nginx版本 1.20
————————————————
原文链接:https://blog.csdn.net/zhangxm_qz/article/details/124117546