如何拿到访问者的真实IP

zealzhangz

网关Nginx做了如下配置，发现代码中拿不到真实IP

      proxy_pass http://yth-app;
      proxy_set_header   X-Forwarded-Proto $scheme;
      proxy_set_header   X-Real-IP         $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

拿到的IP如下：

{
    "referer": "http://test.10.1.1.122.nip.io:31729/public/workplace",
    "authorization": "bearer ",
    "x-forwarded-host": "test.10.1.1.122.nip.io:31729",
    "tenantid": "1",
    "Content-Length": "0",
    "X-Real-IP": "10.233.126.40",
    "x-request-id": "4919240d-38e2-460b-aba9-610fddea491e",
    "accept-language": "zh-CN,zh;q=0.9,en;q=0.8",
    "X-Forwarded-Proto": "http",
    "Connection": "close",
    "Host": "yth-app",
    "x-forwarded-for": "127.0.0.1",
    "accept": "*/*",
    "x-original-uri": "/sys/navigation/userNav",
    "x-envoy-expected-rq-timeout-ms": "15000",
    "x-scheme": "http",
    "accept-encoding": "gzip, deflate",
    "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36"
}

发现 “X-Real-IP”: “10.233.126.40” 和 “x-forwarded-for”: “127.0.0.1” 都没拿到真是IP，而 10.233.126.40 对应的是 kubesphere router 的IP地址，如下：

stoneshi-yunify

zealzhangz 看看这个有没有帮助 https://www.alibabacloud.com/help/doc-detail/42205.htm

Jeff

zealzhangz https://kubesphere.com.cn/blogs/how-to-get-real-ip-in-pod/ 看官方博客

zealzhangz

Jeff
你好，我们是3.0的私有云环境，在Master节点用Haproxy和keeplive做的负载均衡，这种环境是否适用于这种方式:
通过 LB -> Ingress -> Service 访问获取真实 IP

按照文档的更改后的配置如下，但是更新后发现服务访问不了了：

kind: Service
apiVersion: v1
metadata:
  name: kubesphere-router-test
  namespace: kubesphere-controls-system
  labels:
    app: kubesphere
    component: ks-router
    project: test
    tier: backend
  annotations:
    servicemesh.kubesphere.io/enabled: 'false'
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
      nodePort: 31729
    - name: https
      protocol: TCP
      port: 443
      targetPort: 443
      nodePort: 32718
  selector:
    app: kubesphere
    component: ks-router
    project: test
    tier: backend
  clusterIP: 10.233.14.194
  type: NodePort
  sessionAffinity: None
  externalTrafficPolicy: Local

weekyuan

Jeff 你好，我通过LB -> Ingress -> Service访问路径，始终无法获取到客户端真实IP，麻烦指导下是哪里的问题？
1.LB绑定的网关（ingress-controller的svc）

2.ingress通过网关代理

3.ingress-controller的configmap如下

4.ingress-controller的nginx配置文件已经加载成功

5.ingress-controller的service已经设置Local模式

6.访问任然无法获取真实IP

shaowenchen

zealzhangz

Local 模式下，不能跨节点。需要修改 ingress-controller 副本的数量和亲和性。

zealzhangz

shaowenchen
大佬，请明示。ingress-controller 默认副本数就是1，亲和性改成了：sessionAffinity: ClientIP，还是访问不了，报 ERR_CONNECTION_REFUSED
配置如下：

kind: Service
apiVersion: v1
metadata:
  name: kubesphere-router-test
  namespace: kubesphere-controls-system
  labels:
    app: kubesphere
    component: ks-router
    project: test
    tier: backend
  annotations:
    servicemesh.kubesphere.io/enabled: 'false'
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
      nodePort: 31729
    - name: https
      protocol: TCP
      port: 443
      targetPort: 443
      nodePort: 32718
  selector:
    app: kubesphere
    component: ks-router
    project: test
    tier: backend
  clusterIP: 10.233.14.194
  type: NodePort
  sessionAffinity: ClientIP
  externalTrafficPolicy: Local

shaowenchen

zealzhangz

文档里面有描述，ingress controller 需要均匀分配到每一个节点上。

dami

shaowenchen 按照文档里面的配置，把网关负载，分配到每一个节点上，通过访问还是拿不到真实的IP，X-Real-IP 还是127.0.0.1。

架构方式是 NGINX -> ingress -> SpringCloud.Gateway

alien233

可能你们要自己编写获取真实IP的代码了，
这个谁试了，能告诉我能否正常获得真实IP。感谢

jusl-song

alien233

网关的cm增加以下内容后可以获取真实ip，但也同时会影响X-forward-Host 等header

data:

use-forwarded-headers: “true”

compute-full-forwarded-for: “true”

如果单个服务想要获取真实IP地址的话，可以不需要上面的配置

直接在Ingress资源里配置需要信任的header和不需要匹配的ip列表

nginx.ingress.kubernetes.io/configuration-snippet: |

  proxy_set_header X-Forwarded-For $http_x_forwarded_for;

  real_ip_header X-Forwarded-For;

  set_real_ip_from 127.0.0.0/0;

  real_ip_recursive on;