tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Cloud EdgeOne
    Documentation
    Download PDF

    Method 1: Obtaining Real Client IPs Through Nginx

    Last updated: 2023-09-11 17:42:15
    Download PDF

      Overview

      If the TCP protocol is used on the origin, it is recommended to add a Nginx server that supports Proxy Protocol V1/V2 in front of the application server to obtain real client IPs.
      Note:
      If the TCP protocol is used on the origin, and you want to directly parse the real client IPs on the application server, please see Parsing Real Client IPs on Application Server.

      Deployment Mode

      
      
      
      As shown in the above diagram, you need to deploy a Nginx server in front of the application server to remove the Proxy Protocol field. You can collect the real client IPs by analyzing Nginx logs on the Nginx server. At this time, you can point the origin address to the Nginx service when you configure the origin address in the EdgeOne L4 proxy service.

      Directions

      Step 1. Deploy Nginx service

      Please select a Nginx version corresponding to the Proxy Protocol version you want to use.
      For Proxy Protocol V1: Nginx Plus R11 and later versions, Nginx Open Source 1.11.4 and later versions.
      For Proxy Protocol V2: Nginx Plus R16 and later versions, Nginx Open Source 1.13.11 and later versions.
      For other Nginx versions, see Accepting the PROXY Protocol.
      You need to install Nginx-1.18.0 and the stream module to enable L4 proxy service on Nginx. See installation directions below.
      # Install the nginx build environment
      yum -y install gcc gcc-c++ autoconf automake
      yum -y install zlib zlib-devel openssl openssl-devel pcre-devel
      
      # Decompress the source package
      tar -zxvf nginx-1.18.0.tar.gz
      # Enter the directory
      cd nginx-1.18.0
      # Set nginx compilation and installation configuration (with `--with-stream`)
      ./configure --prefix=/opt/nginx --sbin-path=/opt/nginx/sbin/nginx --conf-path=/opt/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_gzip_static_module --with-stream
      # Compilation
      make
      # Installation
      make install

      Step 2: Configure the stream module in Nginx

      If you select Nginx-1.18.0, you can run the following command to open the configuration file nginx.conf.
      vi /opt/nginx/conf/nginx.conf
      Configuration of the stream module is as follows:
      stream {
          # Set the log format, where `proxy_protocol_addr` is the client address obtained by parsing the PP protocol, and `remote_addr` is the address of the previous hop.
          log_format basic '$proxy_protocol_addr -$remote_addr [$time_local] '
                            '$protocol $bytes_sent $bytes_received '
                            '$session_time';
      
            access_log  logs/stream.access.log  basic;
          # upstream configuration
      	upstream RealServer {
      		hash $remote_addr consistent;
              # 127.0.0.1:8888 is the IP address and port of the application server
      		server 127.0.0.1:8888 max_fails=3 fail_timeout=30s;
      	}
          # server configuration
      	server {
              # L4 listening port, which corresponds to the origin port configured in L4 proxy service. `proxy_protocol` is required to parse the PP protocol of incoming packets
      		listen 10000   proxy_protocol;
      		proxy_connect_timeout    1s;
      		proxy_timeout 3s;
      		proxy_pass RealServer;
      	}
      }

      Step 3: Configure L4 proxy forwarding rule

      After configuring the Nginx service, you can modify the L4 proxy forwarding rule in the console. Change the origin address to the IP of the current Nginx service, and change the origin port to the L4 listening port configured in step 2. Select Proxy Protocol V1 or V2 for the Pass Client IP according to the forwarding protocol. For details, see Modifying L4 Proxy Forwarding Rules.
      
      
      

      Step 4: Simulate client requests and verify results

      You can build the TCP service, and simulate client requests on another server to verify the results. A sample is as below:
      1. Create an HTTP service with Python on the current server to simulate the TCP service.
      # Based on python2
      python2 -m SimpleHTTPServer 8888
      
      # Based on python3
      python3 -m http.server 8888
      2. Build a client request on another server, and simulate the TCP request with a curl request.
      # Initiate an HTTP request with curl, where the domain is the L4 proxy domain, and `8888` is the L4 proxy forwarding port
      curl -i "http://d42f15b7a9b47488.davidjli.xyz.acc.edgeonedy1.com:8888/"
      3. Check Nginx logs on the Nginx server:
      
      
      
      You can capture packets on the Nginx server and analyze the packets with Wireshark. After the TCP handshake is completed, the Proxy Protocol field is added in front of the first application data packet. Below is an example for Proxy Protocol V1. ① refers to the L4 proxy egress IP, ② refers to the Nginx server IP, ③ refers to the protocol version, ④ refers to the real client IP.
      
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy