Help & Documentation>Tencent Cloud EdgeOne>L4 Proxy>Obtaining Real Client IPs>Obtaining Real Client IPs Through Protocol V1/V2>Method 1: Obtaining Real Client IPs Through Nginx

Method 1: Obtaining Real Client IPs Through Nginx

Last updated: 2023-09-07 15:40:06

On this page:

Use Cases

If your origin server operates on the TCP protocol and the current Nginx natively supports the Proxy Protocol, it is advisable to incorporate a Nginx server that supports Proxy Protocol V1/V2 ahead of the application server to acquire the genuine client IP. You may follow the subsequent steps for implementation.
Note:
If your origin server operates on the TCP protocol and you prefer not to deploy an Nginx service for individual parsing of the real client IP, but rather wish to directly parse and obtain the real client IP within the application server to aid business decision logic, you may refer to: Parsing Real Client IPs on Application Server.

Deployment directions


As depicted in the diagram above, you need to deploy a Nginx server ahead of the application server. The Nginx server will handle the unloading of the Proxy Protocol field. The collection of real client IP addresses can be accomplished by analyzing the Nginx logs on the Nginx server, thereby relieving the application server from the concern of real client addresses. At this point, when configuring the origin address in the EdgeOne L4 proxy service, you can direct the origin address to this Nginx service.

Instructions

Step 1: Deploy Nginx Service

Please select a Nginx version corresponding to the Proxy Protocol version you want to use:
For Proxy Protocol V1: Nginx Plus R11 and later versions, Nginx Open Source 1.11.4 and later versions.
For Proxy Protocol V2: Nginx Plus R16 and later versions, Nginx Open Source 1.13.11 and later versions.
For information on other Nginx versions' support for the Proxy Protocol, please refer to the Nginx documentation: Accepting the PROXY Protocol.
To facilitate the L4 proxy service on Nginx, it is necessary to install Nginx-1.18.0 and its stream module. The installation process is as follows:
# Install the nginx build environment dependencies
yum -y install gcc gcc-c++ autoconf automake
yum -y install zlib zlib-devel openssl openssl-devel pcre-devel

# Decompress the source package
tar -zxvf nginx-1.18.0.tar.gz
# Enter the directory
cd nginx-1.18.0
# Configure the nginx compilation and installation settings, including --with-stream
./configure --prefix=/opt/nginx --sbin-path=/opt/nginx/sbin/nginx --conf-path=/opt/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_gzip_static_module --with-stream
# Compilation
make
# Installation
make install

Step 2: Configure the stream module within Nginx

Using Nginx-1.18.0 as an example, the following command can be executed to access the Nginx configuration file, nginx.conf:
vi /opt/nginx/conf/nginx.conf
Configuration of the stream module is as follows:
stream {
    # Set the log format, where proxy_protocol_addr is the client address obtained by parsing the PP protocol, and remote_addr is the address of the previous hop.
    log_format basic '$proxy_protocol_addr -$remote_addr [$time_local] '
                      '$protocol $bytes_sent $bytes_received '
                      '$session_time';

      access_log  logs/stream.access.log  basic;
    # upstream configuration
	upstream RealServer {
		hash $remote_addr consistent;
        # 127.0.0.1:8888 is the IP address and port of the application server
		server 127.0.0.1:8888 max_fails=3 fail_timeout=30s;
	}
    # Server Configuration
	server{
        # L4 listening port, which corresponds to the origin port configured in L4 proxy service. proxy_protocol is required to parse the PP protocol of incoming packets.
		listen 10000 proxy_protocol;
		proxy_connect_timeout 1s;
		proxy_timeout 3s;
		proxy_pass RealServer;
	}
}

Step 3: Configure L4 proxy forwarding rule

Upon configuring the Nginx service, you can proceed to the L4 proxy service in the console, modify the L4 proxy forwarding rules. Alter the origin address to the IP of the current Nginx service, and the origin port to the L4 listening port configured in Step Two. When transmitting the client IP, select either Proxy Protocol V1 or Proxy Protocol V2, depending on the support status of your current Nginx version.


Step 4: Simulate client requests and verify results

You can establish a TCP service, then utilize an alternate server to simulate client requests for validation. The specific example is as follows:
1. An HTTP service can be established on the current server using Python to emulate a TCP service.
# Use python2
python2 -m SimpleHTTPServer 8888

# Use python3
python3 -m http.server 8888
2. Utilize an alternate server to function as a client, formulate client requests, and simulate TCP requests using Curl:
# Initiate an HTTP request with curl, where the domain is the L4 proxy domain, and 8888 is the L4 proxy forwarding port
curl -i "http://d42f15b7a9b47488.davidjli.xyz.acc.edgeonedy1.com:8888/"
3. Inspect the Nginx logs on the Nginx server as shown below:

You can capture packets on the Nginx server and analyze them using Wireshark. After the TCP handshake is completed, the Proxy Protocol field will be added to the front of the first business data packet. Here is an example of Proxy Protocol V1: ①L4 Proxy exit IP, ②Nginx server IP, ③Protocol version, ④Real client IP address.

中国站 - English