使用代理协议时可以设置X-Real-IP吗?
我的设置如下:
负载均衡器 → nginx → Traefik
Load Balancer → nginx → Traefik
现有的负载平衡器不支持代理协议.相反,它将客户端的真实 IP 添加到 TCP 选项字段(哎呀,我知道!详细信息).这是 Traefik 不支持的东西.
The load balancer in place does not support Proxy Protocol. Instead it adds the real IP of the client to the TCP options field (yikes, I know! Details). That's something Traefik does not support.
为了获得 Traefik 的真实 IP,我在中间添加了一个 nginx,它只接受端口 80 和 443 上的连接,并在使用 SSL 时添加代理协议.Traefik 是为代理协议配置的.一切按预期进行.
To get the real IP to Traefik, I added an nginx inbetween that does nothing more than accepting connections on ports 80 and 443 and adding Proxy Protocol when using SSL. Traefik is configured for Proxy Protocol. Things work as expected.
但是,当使用代理协议时,我想将 X-Real-IP 标头设置为正确的 IP.当我尝试通过 curl 手动设置标题时,会使用该标题,因此客户端可以覆盖它.
However I'd like to set the X-Real-IP header to the correct IP when Proxy Protocol is used. When I try setting the header manually through curl, that one is used, so clients can overwrite it.
如何告诉 Traefik 始终将 X-Real-IP 设置为代理协议建议的 IP?
How can I tell Traefik to always set X-Real-IP to the IP as adviced by Proxy Protocol?
我解决了我的问题,现在可以看得更清楚了.它取决于您的配置中的哪个节点(负载均衡器 → nginx → Traefik)终止客户端请求.在我的设置(负载均衡器 → Traefik)中,负载均衡器使用 NATing 将请求发送到 Traefik.Traefik 然后接受客户端的请求并将新请求发送到相应的后端.所以我不得不将 Traefik 配置为从不信任 X-Real-Ip 标头,而是始终在 X-Real-Ip 标头中设置请求的源 IP.配置是这样的:
I solved my problem and can see clearer now. It depdends on which node in your configuration (Load Balancer → nginx → Traefik) terminates the clients request. In my setup (Load Balancer → Traefik) the Load Balancer uses NATing to send the request to the Traefik. Traefik then takes the client´s request and sends a new request to the corresponding backend. So I had to configure Traefik to never trust the X-Real-Ip header but always set the request´s source ip in the X-Real-Ip header. Configuration is something like this:
[entryPoints.http.proxyProtocol]
insecure = true
trustedIPs = ["10.10.10.1", "10.10.10.2"]
[entryPoints.http.forwardedHeaders]
trustedIPs = ["10.10.10.1", "10.10.10.2"]
最常见的配置(我认为)是负载均衡器接受客户端的请求,然后向 nginx(反向代理负载均衡器)发送一个新请求.在这种情况下,负载均衡器必须设置 X-Real-Ip 标头,nginx 必须将标头传播到 Traefik,并且必须将 Traefik 配置为信任 nginx 作为 X-Real-Ip 标头的来源.
The mostly found configuration (I think) would be that the Load Balancer takes the client´s request and then sends a new request to nginx (reverse proxy load balancer). In this case the Load Balancer must set the X-Real-Ip Header, nginx must propagate the header to Traefik and Traefik must be configured to trust nginx as source for the X-Real-Ip header.