负载平衡器 – >清漆 – > Nginx

我现在头痛了几个小时，想看看有没有人可以帮忙。

1）我有一台负载均衡器，后端有6台服务器。

2）后台服务器是Nginx，为了获得访问者的真实IP地址，我只需要在每个Nginx安装中进行以下操作，我就可以得到每个访客的真实客户端IP地址。

set_real_ip_from 192.168.255.0/24; <-- to handle the load balancer IP real_ip_header X-Forwarded-For; 

3）现在，我已经在每个在127.0.0.1上执行caching的Nginx前安装了Varnish，由于某种原因，现在Nginx并没有看到来自LoadBalancer的实际客户端IP地址 – > Varnish – > Nginx

• 清漆会生病
• 如何禁用清漆X Forwarded For标题
• 基于客户端IP在负载均衡器后面清除ACL
• 光油需要多less内存？
• 清漆微caching

这是打印以下内容：

IP地址：192.168.255.9 < – 这应该是真正的客户端IP地址，而不是192.168（假设正在打印负载均衡器IP地址）

更详细的主机地址：192.168.255.9

很多谢谢，如果你能帮助。

戴夫

更新：

没有清漆的方程中，我有以下LB – > NGINX和NGINX内存在

 set_real_ip_from 192.168.255.0/24; real_ip_header X-Forwarded-For; 

当NGINXloggingremote_addr时，下面的第一个条目打印真实的客户端IP地址

 log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; 213.205.234.x - - [05/Sep/2012:09:42:08 -0700] "GET /2011/10/28/chicken-and-apples-in- honey-mustard-sauce/ HTTP/1.1" 200 18283 "-" "Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-I9100 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "213.205.234.x" 

用方程式LB – > Varnish – > NGINX

在NGINX中，我将set_real_ip_from切换到127.0.0.1

 set_real_ip_from 127.0.0.1; real_ip_header X-Forwarded-For; 

NGINX中的$ remote_addr不打印真实的客户端IP地址：

 192.168.255.9 - - [05/Sep/2012:09:46:41 -0700] "GET /2012/09/03/stuffed-baked-potatoes-deconstructed/ HTTP/1.1" 200 18159 "-" "Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; ADR6400L Build/FRG83D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" "69.255.125.x, 192.168.255.9" 

从上面你可以看到，正在打印的$ remote_addr是负载均衡器的IP地址：192.168.255.9，而不是客户端的remote_addr。 虽然“$ http_x_forwarded_for”打印正确的地址我猜：“69.255.125.x，192.168.255.9”。 我的目标是让$ remote_addr保持正确的IP地址

谢谢戴夫

更新：

这是我的Varnish的default.vcl，注释了Shane提到的部分，这里是来自NGINX访问日志的当前输出

 127.0.0.1 - - [05/Sep/2012:11:16:43 -0700] "GET /wp-content/plugins/wp-pagenavi/pagenavi-css.css?ver=2.70 HTTP/1.1" 304 0 "http://mobilefoodblog.com/2011/10/28/chicken-and-apples-in-honey-mustard-sauce/" "Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; SCH-I405 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" "67.168.209.192, 192.168.255.9" # This is a basic VCL configuration file for varnish. See the vcl(7) # man page for details on VCL syntax and semantics. # # Default backend definition. Set this to point to your content # server. # backend default { .host = "localhost"; .port = "8080"; } sub detect_device { # Define the desktop device set req.http.X-Device = "desktop"; if (req.http.User-Agent ~ "iP(hone|od)" || req.http.User-Agent ~ "Android" || req.http.User-Agent ~ "iPad") { # Define smartphones and tablets set req.http.X-Device = "smart"; } elseif (req.http.User-Agent ~ "SymbianOS" || req.http.User-Agent ~ "^BlackBerry" || req.http.User-Agent ~ "^SonyEricsson" || req.http.User-Agent ~ "^Nokia" || req.http.User-Agent ~ "^SAMSUNG" || req.http.User-Agent ~ "^LG") { # Define every other mobile device set req.http.X-Device = "other"; } } acl purge { "localhost"; } sub vcl_recv { call detect_device; # if (req.restarts == 0) { # if (req.http.x-forwarded-for) { # set req.http.X-Forwarded-For = # req.http.X-Forwarded-For ", " client.ip; # } else { # set req.http.X-Forwarded-For = client.ip; # } # } if (req.request == "PURGE") { if (!client.ip ~ purge) { error 405 "Not allowed."; } return(lookup); } if (req.url ~ "^/$") { unset req.http.cookie; } } sub vcl_hit { if (req.request == "PURGE") { set obj.ttl = 0s; error 200 "Purged."; } } sub vcl_miss { if (req.request == "PURGE") { error 404 "Not in cache."; } if (!(req.url ~ "wp-(login|admin)")) { unset req.http.cookie; } if (req.url ~ "^/[^?]+.(jpeg|jpg|png|gif|ico|js|css|txt|gz|zip|lzma|bz2|tgz|tbz|html|htm)(\?.|)$") { unset req.http.cookie; set req.url = regsub(req.url, "\?.$", ""); } if (req.url ~ "^/$") { unset req.http.cookie; } } sub vcl_fetch { if (req.url ~ "^/$") { unset beresp.http.set-cookie; } if (!(req.url ~ "wp-(login|admin)")) { unset beresp.http.set-cookie; } } sub vcl_hash { set req.hash += req.url; if (req.http.host) { set req.hash += req.http.host; } else { set req.hash += server.ip; } # And then add the device to the hash (if its a mobile device) if (req.http.X-Device ~ "smart" || req.http.X-Device ~ "other") { set req.hash += req.http.X-Device; } return (hash); } 

 set_real_ip_from 192.168.255.0/24; 

 set_real_ip_from 127.0.0.1; 

 if (req.restarts == 0) { if (req.http.x-forwarded-for) { set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip; } else { set req.http.X-Forwarded-For = client.ip; } } 

 sub vcl_recv { call detect_device; if (req.request == "PURGE") { if (!client.ip ~ purge) { error 405 "Not allowed."; } return(lookup); } if (req.url ~ "^/$") { unset req.http.cookie; } # Default logic follows; it's normally appended. # It'll still be appended, but having the return(lookup) # prevents its use. X-Forward-For header behavior removed. if (req.request != "GET" && req.request != "HEAD" && req.request != "PUT" && req.request != "POST" && req.request != "TRACE" && req.request != "OPTIONS" && req.request != "DELETE") { /* Non-RFC2616 or CONNECT which is weird. */ return (pipe); } if (req.request != "GET" && req.request != "HEAD") { /* We only deal with GET and HEAD by default */ return (pass); } if (req.http.Authorization || req.http.Cookie) { /* Not cacheable by default */ return (pass); } return (lookup); } 

 sub vcl_recv { ... set req.http.X-Forwarded-For = req.http.X-Forwarded-For; 

 server { ... set_real_ip_from 192.168.255.0/24; real_ip_header X-Forwarded-For;