白云网站制作,百度一下搜索一下,济南公司网站建设公司,住房和城乡建设部网站统计需求说明
现有一套Java开发的应用#xff0c;需要能获取到用户访问的真实IP地址#xff0c;以此来过滤到一些不安全的因素。而实际部署的场景中Java服务提供给用户访问需要经过多次代理#xff0c;默认情况下是无法获取到客户端真实IP地址的#xff0c;因此要实现该需求需要能获取到用户访问的真实IP地址以此来过滤到一些不安全的因素。而实际部署的场景中Java服务提供给用户访问需要经过多次代理默认情况下是无法获取到客户端真实IP地址的因此要实现该需求就得将客户端真实IP地址透传到后端。
访问路径 如何实现
haproxy上配置
# haproxy.cfg
defaultsmode httplog globaloption httplogoption dontlognulloption http-server-closelog 127.0.0.1 local3option forwardfor except 127.0.0.0/8option redispatchretries 3timeout http-request 10stimeout queue 1mtimeout connect 10stimeout client 5mtimeout server 5mtimeout http-keep-alive 10stimeout check 10sunique-id-format %{X}o\ %ci%cp%fi%fp%Ts%rt%pidfrontend https_link_habind *:443 ssl crt /usr/local/etc/haproxy/cert/crt/ ca-file /usr/local/etc/haproxy/cert/ca/ca.pem verify optional#log 127.0.0.1 local3mode httplog-format %ID %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{Q}roption accept-invalid-http-request# 配置请求头http-request set-header x-request-id %[unique-id]http-request set-header x-request-time %[date()]http-request set-header X-Real-IP %[src]default_backend prebackend pre server 1 192.168.100.100:8080 check inter 1500 rise 3 fall 3 weight 3server 2 192.168.100.101:9000 check inter 1500 rise 3 fall 3 weight 4server 3 192.168.100.102:8090 check inter 1500 rise 3 fall 3 weight 5 其中主要是两个配置 option forwardfor except 127.0.0.0/8在由Haproxy发往后端的请求中加上XFF首部其值是前个客户端的IP。 http-request set-header X-Real-IP %[src]在X-Real-IP中设置客户端IP。 nginx上配置
# nginx.conf 日志格式log_format main $remote_addr - $remote_user [$time_local] $request $http_x_forwarded_for ;# location 反向代理的配置proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;更多参考资料https://www.cnblogs.com/yanzi2020/p/17471481.html
ingress上配置
默认情况下Ingress没有开启XFF。 在Ingress上要使用XFF需要使用到以下三个参数 use-forwarded-headers是否开启XFF头传递默认是false。 forwarded-for-headerXFF的真实header名默认是X-Forwarded-For。 compute-full-forwarded-for列出客户端访问所经过的代理IP默认情况下XFF是从remote_addr中获取的值。 # 在Nginx Ingress的ConfigMap里增加以下两个配置use-forwarded-headers: true
compute-full-forwarded-for: true 注意不是所有的场景都能通过XFF获取到用户的真实IP比如当SLB前面还有CDN的情况下获取的可能就是CDN的来源IP
traefik上配置 官方文档Traefik EntryPoints Documentation - Traefik 命令行方式 --entryPoints.web.address:80 --entryPoints.web.forwardedHeaders.insecure # k8s yaml文件示例仅做参考
---
apiVersion: apps/v1
kind: Deployment
metadata:annotations:meta.helm.sh/release-name: traefikmeta.helm.sh/release-namespace: defaultlabels:app.kubernetes.io/instance: traefikapp.kubernetes.io/managed-by: Helmapp.kubernetes.io/name: traefikhelm.sh/chart: traefik-9.11.0name: traefiknamespace: defaultresourceVersion: 505763774
spec:progressDeadlineSeconds: 600replicas: 6revisionHistoryLimit: 10selector:matchLabels:app.kubernetes.io/instance: traefikapp.kubernetes.io/name: traefikstrategy:rollingUpdate:maxSurge: 1maxUnavailable: 1type: RollingUpdatetemplate:metadata:creationTimestamp: nulllabels:app.kubernetes.io/instance: traefikapp.kubernetes.io/managed-by: Helmapp.kubernetes.io/name: traefikhelm.sh/chart: traefik-9.11.0spec:containers:- args:- --global.checknewversion- --global.sendanonymoususage- --entryPoints.traefik.address:9000/tcp- --entryPoints.web.address:8000/tcp- --entryPoints.websecure.address:8443/tcp- --api.dashboardtrue- --pingtrue- --providers.kubernetescrd- --providers.kubernetesingress- --entrypoints.web.forwardedHeaders.insecure- --entrypoints.websecure.forwardedHeaders.insecureimage: traefik:2.3.3imagePullPolicy: IfNotPresentlivenessProbe:failureThreshold: 3httpGet:path: /pingport: 9000scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10successThreshold: 1timeoutSeconds: 2name: traefikports:- containerPort: 9000name: traefikprotocol: TCP- containerPort: 8000name: webprotocol: TCP- containerPort: 8443name: websecureprotocol: TCPreadinessProbe:failureThreshold: 1httpGet:path: /pingport: 9000scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10successThreshold: 1timeoutSeconds: 2resources: {}securityContext:capabilities:drop:- ALLreadOnlyRootFilesystem: truerunAsGroup: 65532runAsNonRoot: truerunAsUser: 65532terminationMessagePath: /dev/termination-logterminationMessagePolicy: FilevolumeMounts:- mountPath: /dataname: data- mountPath: /tmpname: tmpdnsPolicy: ClusterFirstrestartPolicy: AlwaysschedulerName: default-schedulersecurityContext:fsGroup: 65532serviceAccount: traefikserviceAccountName: traefikterminationGracePeriodSeconds: 60volumes:- emptyDir: {}name: data- emptyDir: {}name: tmp
status:availableReplicas: 6conditions:- lastTransitionTime: 2022-10-10T07:58:50ZlastUpdateTime: 2022-10-10T07:58:50Zmessage: Deployment has minimum availability.reason: MinimumReplicasAvailablestatus: Truetype: Available- lastTransitionTime: 2020-11-25T22:53:59ZlastUpdateTime: 2022-11-17T10:44:40Zmessage: ReplicaSet traefik-54bf67c74d has successfully progressed.reason: NewReplicaSetAvailablestatus: Truetype: ProgressingobservedGeneration: 13readyReplicas: 6replicas: 6updatedReplicas: 6---
apiVersion: v1
kind: Service
metadata:annotations:meta.helm.sh/release-name: traefikmeta.helm.sh/release-namespace: defaultlabels:app.kubernetes.io/instance: traefikapp.kubernetes.io/managed-by: Helmapp.kubernetes.io/name: traefikhelm.sh/chart: traefik-9.11.0name: traefiknamespace: defaultresourceVersion: 505762379
spec:clusterIP: 10.96.252.109externalTrafficPolicy: Clusterports:- name: webnodePort: 30079port: 80protocol: TCPtargetPort: webselector:app.kubernetes.io/instance: traefikapp.kubernetes.io/name: traefiksessionAffinity: Nonetype: NodePort
status:loadBalancer: {} 在deployment部署中的traefik启动参数中添加 - --entrypoints.web.forwardedHeaders.insecure 和 - --entrypoints.websecure.forwardedHeaders.insecure 启动参数 本文仅做记录和参考在实际使用中需要充分测试。
