• 开发

  • 如何拿到访问者的真实IP

网关Nginx做了如下配置,发现代码中拿不到真实IP

      proxy_pass http://yth-app;
      proxy_set_header   X-Forwarded-Proto $scheme;
      proxy_set_header   X-Real-IP         $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

拿到的IP如下:

{
    "referer": "http://test.10.1.1.122.nip.io:31729/public/workplace",
    "authorization": "bearer ",
    "x-forwarded-host": "test.10.1.1.122.nip.io:31729",
    "tenantid": "1",
    "Content-Length": "0",
    "X-Real-IP": "10.233.126.40",
    "x-request-id": "4919240d-38e2-460b-aba9-610fddea491e",
    "accept-language": "zh-CN,zh;q=0.9,en;q=0.8",
    "X-Forwarded-Proto": "http",
    "Connection": "close",
    "Host": "yth-app",
    "x-forwarded-for": "127.0.0.1",
    "accept": "*/*",
    "x-original-uri": "/sys/navigation/userNav",
    "x-envoy-expected-rq-timeout-ms": "15000",
    "x-scheme": "http",
    "accept-encoding": "gzip, deflate",
    "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36"
}

发现 “X-Real-IP”: “10.233.126.40” 和 “x-forwarded-for”: “127.0.0.1” 都没拿到真是IP,而 10.233.126.40 对应的是 kubesphere router 的IP地址,如下:

    Jeff
    你好,我们是3.0的私有云环境,在Master节点用Haproxy和keeplive做的负载均衡,这种环境是否适用于这种方式:
    通过 LB -> Ingress -> Service 访问获取真实 IP

    按照文档的更改后的配置如下,但是更新后发现服务访问不了了:

    kind: Service
apiVersion: v1
metadata:
  name: kubesphere-router-test
  namespace: kubesphere-controls-system
  labels:
    app: kubesphere
    component: ks-router
    project: test
    tier: backend
  annotations:
    servicemesh.kubesphere.io/enabled: 'false'
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
      nodePort: 31729
    - name: https
      protocol: TCP
      port: 443
      targetPort: 443
      nodePort: 32718
  selector:
    app: kubesphere
    component: ks-router
    project: test
    tier: backend
  clusterIP: 10.233.14.194
  type: NodePort
  sessionAffinity: None
  externalTrafficPolicy: Local

        shaowenchen
        大佬,请明示。ingress-controller 默认副本数就是1,亲和性改成了:sessionAffinity: ClientIP,还是访问不了,报 ERR_CONNECTION_REFUSED
        配置如下:

        kind: Service
apiVersion: v1
metadata:
  name: kubesphere-router-test
  namespace: kubesphere-controls-system
  labels:
    app: kubesphere
    component: ks-router
    project: test
    tier: backend
  annotations:
    servicemesh.kubesphere.io/enabled: 'false'
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
      nodePort: 31729
    - name: https
      protocol: TCP
      port: 443
      targetPort: 443
      nodePort: 32718
  selector:
    app: kubesphere
    component: ks-router
    project: test
    tier: backend
  clusterIP: 10.233.14.194
  type: NodePort
  sessionAffinity: ClientIP
  externalTrafficPolicy: Local

            zealzhangz

            文档里面有描述,ingress controller 需要均匀分配到每一个节点上。

            • dami 回复了此帖
                12 天 后

                shaowenchen 按照文档里面的配置,把网关负载,分配到每一个节点上,通过访问还是拿不到真实的IP,X-Real-IP 还是127.0.0.1。

                架构方式是 NGINX -> ingress -> SpringCloud.Gateway

                  6 个月 后

                  Jeff 你好,我通过LB -> Ingress -> Service访问路径,始终无法获取到客户端真实IP,麻烦指导下是哪里的问题?
                  1.LB绑定的网关(ingress-controller的svc)

                  2.ingress通过网关代理

                  3.ingress-controller的configmap如下

                  4.ingress-controller的nginx配置文件已经加载成功


                  5.ingress-controller的service已经设置Local模式

                  6.访问任然无法获取真实IP

                    7 天 后

                    可能你们要自己编写获取真实IP的代码了,
                    这个谁试了,能告诉我能否正常获得真实IP。感谢

                      2 年 后

                      alien233

                      网关的cm增加以下内容后可以获取真实ip,但也同时会影响X-forward-Host 等header

                      data:

                      use-forwarded-headers: “true”

                      compute-full-forwarded-for: “true”

                      如果单个服务想要获取真实IP地址的话,可以不需要上面的配置

                      直接在Ingress资源里配置需要信任的header和不需要匹配的ip列表

                      nginx.ingress.kubernetes.io/configuration-snippet: |

                        proxy_set_header X-Forwarded-For $http_x_forwarded_for;

  real_ip_header X-Forwarded-For;

  set_real_ip_from 127.0.0.0/0;

  real_ip_recursive on;