tencent cloud


Method 1: Obtaining Real Client IPs Through Nginx

Last updated: 2023-09-11 17:42:15


    If the TCP protocol is used on the origin, it is recommended to add a Nginx server that supports Proxy Protocol V1/V2 in front of the application server to obtain real client IPs.
    If the TCP protocol is used on the origin, and you want to directly parse the real client IPs on the application server, please see Parsing Real Client IPs on Application Server.

    Deployment Mode

    As shown in the above diagram, you need to deploy a Nginx server in front of the application server to remove the Proxy Protocol field. You can collect the real client IPs by analyzing Nginx logs on the Nginx server. At this time, you can point the origin address to the Nginx service when you configure the origin address in the EdgeOne L4 proxy service.


    Step 1. Deploy Nginx service

    Please select a Nginx version corresponding to the Proxy Protocol version you want to use.
    For Proxy Protocol V1: Nginx Plus R11 and later versions, Nginx Open Source 1.11.4 and later versions.
    For Proxy Protocol V2: Nginx Plus R16 and later versions, Nginx Open Source 1.13.11 and later versions.
    For other Nginx versions, see Accepting the PROXY Protocol.
    You need to install Nginx-1.18.0 and the stream module to enable L4 proxy service on Nginx. See installation directions below.
    # Install the nginx build environment
    yum -y install gcc gcc-c++ autoconf automake
    yum -y install zlib zlib-devel openssl openssl-devel pcre-devel
    # Decompress the source package
    tar -zxvf nginx-1.18.0.tar.gz
    # Enter the directory
    cd nginx-1.18.0
    # Set nginx compilation and installation configuration (with `--with-stream`)
    ./configure --prefix=/opt/nginx --sbin-path=/opt/nginx/sbin/nginx --conf-path=/opt/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_gzip_static_module --with-stream
    # Compilation
    # Installation
    make install

    Step 2: Configure the stream module in Nginx

    If you select Nginx-1.18.0, you can run the following command to open the configuration file nginx.conf.
    vi /opt/nginx/conf/nginx.conf
    Configuration of the stream module is as follows:
    stream {
    # Set the log format, where `proxy_protocol_addr` is the client address obtained by parsing the PP protocol, and `remote_addr` is the address of the previous hop.
    log_format basic '$proxy_protocol_addr -$remote_addr [$time_local] '
    '$protocol $bytes_sent $bytes_received '
    access_log logs/stream.access.log basic;
    # upstream configuration
    upstream RealServer {
    hash $remote_addr consistent;
    # is the IP address and port of the application server
    server max_fails=3 fail_timeout=30s;
    # server configuration
    server {
    # L4 listening port, which corresponds to the origin port configured in L4 proxy service. `proxy_protocol` is required to parse the PP protocol of incoming packets
    listen 10000 proxy_protocol;
    proxy_connect_timeout 1s;
    proxy_timeout 3s;
    proxy_pass RealServer;

    Step 3: Configure L4 proxy forwarding rule

    After configuring the Nginx service, you can modify the L4 proxy forwarding rule in the console. Change the origin address to the IP of the current Nginx service, and change the origin port to the L4 listening port configured in step 2. Select Proxy Protocol V1 or V2 for the Pass Client IP according to the forwarding protocol. For details, see Modifying L4 Proxy Forwarding Rules.

    Step 4: Simulate client requests and verify results

    You can build the TCP service, and simulate client requests on another server to verify the results. A sample is as below:
    1. Create an HTTP service with Python on the current server to simulate the TCP service.
    # Based on python2
    python2 -m SimpleHTTPServer 8888
    # Based on python3
    python3 -m http.server 8888
    2. Build a client request on another server, and simulate the TCP request with a curl request.
    # Initiate an HTTP request with curl, where the domain is the L4 proxy domain, and `8888` is the L4 proxy forwarding port
    curl -i "http://d42f15b7a9b47488.davidjli.xyz.acc.edgeonedy1.com:8888/"
    3. Check Nginx logs on the Nginx server:
    You can capture packets on the Nginx server and analyze the packets with Wireshark. After the TCP handshake is completed, the Proxy Protocol field is added in front of the first application data packet. Below is an example for Proxy Protocol V1. ① refers to the L4 proxy egress IP, ② refers to the Nginx server IP, ③ refers to the protocol version, ④ refers to the real client IP.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support