Method 1: Obtaining Real Client IPs Through Nginx
Overview
If the TCP protocol is used on the origin, it is recommended to add a Nginx server that supports Proxy Protocol V1/V2 in front of the application server to obtain real client IPs.
Note:
The L4 proxy is only available with the Enterprise Edition package.
If the TCP protocol is used on the origin, and you want to directly parse the real client IPs on the application server, please see Parsing Real Client IPs on Application Server.
Deployment Mode
As shown in the above diagram, you need to deploy a Nginx server in front of the application server to remove the Proxy Protocol field. You can collect the real client IPs by analyzing Nginx logs on the Nginx server. At this time, you can point the origin address to the Nginx service when you configure the origin address in the EdgeOne L4 proxy service.
Directions
Step 1. Deploy Nginx service
Please select a Nginx version corresponding to the Proxy Protocol version you want to use.
For Proxy Protocol V1: Nginx Plus R11 and later versions, Nginx Open Source 1.11.4 and later versions.
For Proxy Protocol V2: Nginx Plus R16 and later versions, Nginx Open Source 1.13.11 and later versions.
For other Nginx versions, see Accepting the PROXY Protocol.
You need to install Nginx-1.18.0 and the stream module to enable L4 proxy service on Nginx. See installation directions below.
# Install the nginx build environmentyum -y install gcc gcc-c++ autoconf automakeyum -y install zlib zlib-devel openssl openssl-devel pcre-devel# Decompress the source packagetar -zxvf nginx-1.18.0.tar.gz# Enter the directorycd nginx-1.18.0# Set nginx compilation and installation configuration (with `--with-stream`)./configure --prefix=/opt/nginx --sbin-path=/opt/nginx/sbin/nginx --conf-path=/opt/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_gzip_static_module --with-stream# Compilationmake# Installationmake install
Step 2: Configure the stream module in Nginx
If you select Nginx-1.18.0, you can run the following command to open the configuration file nginx.conf.
vi /opt/nginx/conf/nginx.conf
Configuration of the stream module is as follows:
stream {# Set the log format, where `proxy_protocol_addr` is the client address obtained by parsing the PP protocol, and `remote_addr` is the address of the previous hop.log_format basic '$proxy_protocol_addr -$remote_addr [$time_local] ''$protocol $bytes_sent $bytes_received ''$session_time';access_log logs/stream.access.log basic;# upstream configurationupstream RealServer {hash $remote_addr consistent;# 127.0.0.1:8888 is the IP address and port of the application serverserver 127.0.0.1:8888 max_fails=3 fail_timeout=30s;}# server configurationserver {# L4 listening port, which corresponds to the origin port configured in L4 proxy service. `proxy_protocol` is required to parse the PP protocol of incoming packetslisten 10000 proxy_protocol;proxy_connect_timeout 1s;proxy_timeout 3s;proxy_pass RealServer;}}
Step 3: Configure L4 proxy forwarding rule
After configuring the Nginx service, you can modify the L4 proxy forwarding rule in the console. Change the origin address to the IP of the current Nginx service, and change the origin port to the L4 listening port configured in step 2. Select Proxy Protocol V1 or V2 for the Pass Client IP according to the forwarding protocol. For details, see Modifying L4 Proxy Forwarding Rules.
Step 4: Simulate client requests and verify results
You can build the TCP service, and simulate client requests on another server to verify the results. A sample is as below:
1. Create an HTTP service with Python on the current server to simulate the TCP service.
# Based on python2python2 -m SimpleHTTPServer 8888# Based on python3python3 -m http.server 8888
2. Build a client request on another server, and simulate the TCP request with a curl request.
# Initiate an HTTP request with curl, where the domain is the L4 proxy domain, and `8888` is the L4 proxy forwarding portcurl -i "http://d42f15b7a9b47488.davidjli.xyz.acc.edgeonedy1.com:8888/"
3. Check Nginx logs on the Nginx server:
You can capture packets on the Nginx server and analyze the packets with Wireshark. After the TCP handshake is completed, the Proxy Protocol field is added in front of the first application data packet. Below is an example for Proxy Protocol V1. ① refers to the L4 proxy egress IP, ② refers to the Nginx server IP, ③ refers to the protocol version, ④ refers to the real client IP.