Method 1: Obtaining Real Client IPs Through Nginx

Download PDF
Overview
If the TCP protocol is used on the origin, it is recommended to add a Nginx server that supports Proxy Protocol V1/V2 in front of the application server to obtain real client IPs.
Note:
If the TCP protocol is used on the origin, and you want to directly parse the real client IPs on the application server, please see Parsing Real Client IPs on Application Server.
Deployment Mode
﻿
﻿
﻿
As shown in the above diagram, you need to deploy a Nginx server in front of the application server to remove the Proxy Protocol field. You can collect the real client IPs by analyzing Nginx logs on the Nginx server. At this time, you can point the origin address to the Nginx service when you configure the origin address in the EdgeOne L4 proxy service.
Directions
Step 1. Deploy Nginx service
Please select a Nginx version corresponding to the Proxy Protocol version you want to use.
For Proxy Protocol V1: Nginx Plus R11 and later versions, Nginx Open Source 1.11.4 and later versions.
For Proxy Protocol V2: Nginx Plus R16 and later versions, Nginx Open Source 1.13.11 and later versions.
For other Nginx versions, see Accepting the PROXY Protocol.
You need to install Nginx-1.18.0 and the stream module to enable L4 proxy service on Nginx. See installation directions below.
# Install the nginx build environment
yum -y install gcc gcc-c++ autoconf automake
yum -y install zlib zlib-devel openssl openssl-devel pcre-devel
﻿
# Decompress the source package
tar -zxvf nginx-1.18.0.tar.gz
# Enter the directory
cd nginx-1.18.0
# Set nginx compilation and installation configuration (with `--with-stream`)
./configure --prefix=/opt/nginx --sbin-path=/opt/nginx/sbin/nginx --conf-path=/opt/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_gzip_static_module --with-stream
# Compilation
make
# Installation
make install
Step 2: Configure the stream module in Nginx
If you select Nginx-1.18.0, you can run the following command to open the configuration file nginx.conf.
vi /opt/nginx/conf/nginx.conf
Configuration of the stream module is as follows:
stream {
    # Set the log format, where `proxy_protocol_addr` is the client address obtained by parsing the PP protocol, and `remote_addr` is the address of the previous hop.
    log_format basic '$proxy_protocol_addr -$remote_addr [$time_local] '
                      '$protocol $bytes_sent $bytes_received '
                      '$session_time';
﻿
      access_log  logs/stream.access.log  basic;
    # upstream configuration
	upstream RealServer {
		hash $remote_addr consistent;
        # 127.0.0.1:8888 is the IP address and port of the application server
		server 127.0.0.1:8888 max_fails=3 fail_timeout=30s;
	}
    # server configuration
	server {
        # L4 listening port, which corresponds to the origin port configured in L4 proxy service. `proxy_protocol` is required to parse the PP protocol of incoming packets
		listen 10000   proxy_protocol;
		proxy_connect_timeout    1s;
		proxy_timeout 3s;
		proxy_pass RealServer;
	}
}
Step 3: Configure L4 proxy forwarding rule
After configuring the Nginx service, you can modify the L4 proxy forwarding rule in the console. Change the origin address to the IP of the current Nginx service, and change the origin port to the L4 listening port configured in step 2. Select Proxy Protocol V1 or V2 for the Pass Client IP according to the forwarding protocol. For details, see Modifying L4 Proxy Forwarding Rules.
﻿
﻿
﻿
Step 4: Simulate client requests and verify results
You can build the TCP service, and simulate client requests on another server to verify the results. A sample is as below:
1. Create an HTTP service with Python on the current server to simulate the TCP service.
# Based on python2
python2 -m SimpleHTTPServer 8888
﻿
# Based on python3
python3 -m http.server 8888
2. Build a client request on another server, and simulate the TCP request with a curl request.
# Initiate an HTTP request with curl, where the domain is the L4 proxy domain, and `8888` is the L4 proxy forwarding port
curl -i "http://d42f15b7a9b47488.davidjli.xyz.acc.edgeonedy1.com:8888/"
3. Check Nginx logs on the Nginx server:
﻿
﻿
﻿
You can capture packets on the Nginx server and analyze the packets with Wireshark. After the TCP handshake is completed, the Proxy Protocol field is added in front of the first application data packet. Below is an example for Proxy Protocol V1. ① refers to the L4 proxy egress IP, ② refers to the Nginx server IP, ③ refers to the protocol version, ④ refers to the real client IP.
﻿
﻿