访问路径:
用户 --> www.chinasoft.cn(nginx反向代理) --> www.chinasoft.com(nginx反向代理) --> python服务端程序
经过多层代理
第一层代理:
# cat /usr/local/nginx/conf/vhost.d/www.chinasoft.cn.conf
server {
listen 80;
server_name www.chinasoft.cn chinasoft.cn;
access_log /data/www/logs/nginx_log/access/chinasoft.cn_access.log main ;
error_log /data/www/logs/nginx_log/error/chinasoft.cn_error.log ;
#root /data/www/vhosts/chinasoft.cn/httpdocs ;
index index.html index.shtml index.php ;
#include rewrite.d/chinasoft.cn.conf ;
error_page 404 403 /404.html;
rewrite ^/(.*)$ https://www.chinasoft.cn/$1 permanent; #跳转到Https
location /favicon.ico{
proxy_pass https://www.chinasoft.com;
}
location ~ ^/(middle|app|files|static|back)/ {
proxy_set_header Host $host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_cookie_domain www.chinasoft.com www.chinasoft.cn;
proxy_pass https://www.chinasoft.com;
}
location /cn {
rewrite ^/cn/(.*) /$1 permanent;
}
#注释原来的location
#location / {
# proxy_cookie_domain www.chinasoft.com www.chinasoft.cn;
# proxy_pass https://www.chinasoft.com/cn/;
#}
#开启新的配置
location / {
if (-d $request_filename){
rewrite (.*) $1 break;
}
if (-f $request_filename.html){
rewrite (.*) $1.html break;
}
try_files $uri /index.html @404;
}
}
server {
listen 443;
server_name www.chinasoft.cn chinasoft.cn;
ssl on;
ssl_certificate /usr/local/nginx/cert/geo-chinasoft.cn.crt;
ssl_certificate_key /usr/local/nginx/cert/geo-chinasoft.cn.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AE
S256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3
-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
access_log /data/www/logs/nginx_log/access/chinasoft.cn_access.log main ;
error_log /data/www/logs/nginx_log/error/chinasoft.cn_error.log ;
root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle/templates/cn;
index index.html index.shtml index.php ;
#include rewrite.d/chinasoft.cn.conf ;
error_page 404 403 /404.html;
location /favicon.ico{
proxy_set_header Host $host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass https://www.chinasoft.com;
}
location ~ ^/(middle|app|files|back)/ {
proxy_set_header Host $host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_cookie_domain www.chinasoft.com www.chinasoft.cn;
proxy_pass https://www.chinasoft.com;
}
location /cn {
rewrite ^/cn/(.*) /$1 permanent;
}
location /static {
root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle;
}
#注释原来的location
#location / {
# proxy_cookie_domain www.chinasoft.com www.chinasoft.cn;
# proxy_pass https://www.chinasoft.com/cn/;
#}
#开启新的配置
location / {
if (-d $request_filename){
rewrite (.*) $1 break;
}
if (-f $request_filename.html){
rewrite (.*) $1.html break;
}
try_files $uri /index.html @404;
}
}
第二层代理:
[server02:~]# more /usr/local/nginx/conf/vhost.d/www.chinasoft.com.conf
server {
listen 80;
server_name chinasoft.com www.chinasoft.com ;
access_log /data/www/logs/nginx_log/access/www.chinasoft.com_access.log main ;
error_log /data/www/logs/nginx_log/error/www.chinasoft.com_error.log;
root /data/www/vhosts/chinasoft/chinasoft_web/web;
index index.html index.php ;
include rewrite.d/chinasoft.com.conf ;
error_page 404 403 /404.html;
location ^~ /middle/file/test-oss-callback {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header HTTP_AUTHORIZATION $http_authorization;
proxy_pass_header Server;
proxy_redirect off;
proxy_pass http://1.1.1.1:7980/middle/file/oss-callback;
}
rewrite ^/(.*)$ https://www.chinasoft.com/$1 permanent; #跳转到Https
}
server {
listen 443;
server_name www.chinasoft.com chinasoft.com;
ssl on;
ssl_certificate /usr/local/nginx/conf/cert2016/chinasoft_com.crt;
ssl_certificate_key /usr/local/nginx/conf/cert2016/chinasoft_com.key;
ssl_dhparam /usr/local/nginx/conf/cert2016/dh_2048.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AE
S256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3
-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 5;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript;
access_log /data/www/logs/nginx_log/access/www.chinasoft.com_access.log main ;
error_log /data/www/logs/nginx_log/error/www.chinasoft.com_error.log ;
root /data/www/vhosts/chinasoft/chinasoft_web/web;
index index.html index.php ;
include rewrite.d/chinasoft.com.conf ;
error_page 404 @error404;
location /cn { include rewrite.d/chinasoft.cn.conf ; }
location @error404 {
rewrite ^/(fr|de|it|es|pt|nl|hi|jp|ru|kr|id|ar|cn) /$1/404.html last;
rewrite ^ /404.html last;
}
location ~ /(fr|de|it|es|pt|nl|hi|jp|ru|kr|id|ar|vn|tr|th|ro|zh-tw|cn)$ {
rewrite ^/(.*)$ /$1/ permanent;
}
location ^~ /middle/file/test-oss-callback {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header HTTP_AUTHORIZATION $http_authorization;
proxy_pass_header Server;
proxy_redirect off;
proxy_pass http://127.0.0.1:7980/middle/file/test-oss-callback;
}
location ~ ^/(middle|app)/ {
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header REMOTE-HOST $remote_addr;
#proxy_set_header HTTP_AUTHORIZATION $http_authorization;
#proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
expires 1d;
include proxy_params;
if (!-d $request_filename){
set $flag 1$flag;
}
if (!-f $request_filename){
set $flag 2$flag;
}
if ($flag = "21"){
rewrite ^(.*)$ /index.php last;
}
}
location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
fastcgi_read_timeout 600;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
expires -1;
}
location /static {
root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle;
}
location / {
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header REMOTE-HOST $remote_addr;
#proxy_set_header HTTP_AUTHORIZATION $http_authorization;
#proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
expires -10d;
add_header Cache-Control no-cache;
root /data/www/vhosts/chinasoft/chinasoft_web_html/converter_middle/templates;
index index.html;
if (-d $request_filename){
rewrite (.*) $1 break;
}
if (!-f $request_filename){
rewrite (.*) $1.html break;
}
try_files $uri /index.html @error404;
}
}
nginx多层代理获取客户端的真实ip总结:
1、编译Nginx时,添加http_realip_module模块
2、在nginx.conf文件中
proxy_pass xxxxxx添加下面三行
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
3、在每一层nginx日志中的打印的"$http_x_forwarded_for"就是真实客户端的ip地址。
4、后台服务器获取真实的客户端ip地址:
headers中的X-Forwarded-For选项中逗号前第一个ip就是真实客户端ip
日志中获取真实ip: $http_x_forwarded_for 就是获取真实ip的变量
log_format main '$remote_addr $http_x_forwarded_for - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time ';
# more /usr/local/nginx/conf/rewrite.d/chinsoft.com.conf
if ($request_uri ~ ^/(.*)/(index|indice).(html)) { rewrite ^/(.*)/(index|indice).(html) /$1 permanent;}
来源:oschina
链接:https://my.oschina.net/u/4289545/blog/3492110