在nginx访问日志中将本地Varnish IP附加到真实IP

我在web服务器上使用Varnish+nginx，我试图在access.log中获得访问我网站的用户的真实IP，我能够让它工作，但出于某种原因，我的本地IP（Varnish运行的源IP）也被附加到日志条目中，如下所示：

1.2.3.4, 127.0.0.1 - - [08/Oct/2020:10:39:39 +0100] "GET / HTTP/1.1" 200 488 "https://website.com/example" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36"

其中

1.2.3.4

是真正的IP

我尝试将

set_real_ip_from

和

real_ip_header

添加到我的服务器块nginx配置中，但似乎没有帮助。以下是我使用的日志格式：

log_format  main  '$http_x_forwarded_for - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent "$http_referer" ' '"$http_user_agent"';

这是我的网站配置：

website.conf

server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

    server_name website.com;

    ssl_certificate      /etc/letsencrypt/live/website.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/website.com/privkey.pem;

    location / {
       proxy_pass http://127.0.0.1;
       proxy_set_header Host               $http_host;
       proxy_set_header X-Forwarded-Host   $http_host;
       proxy_set_header X-Real-IP          $remote_addr;
       proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto  https;
       proxy_set_header X-Forwarded-Port   443;
       proxy_buffer_size                   128k;
       proxy_buffers                       4 256k;
       proxy_busy_buffers_size             256k;
       fastcgi_buffer_size                 32k;
       fastcgi_buffers                     4 32k;
   }
}

server {
    listen [::]:8080;
    listen 8080;

    server_name website.com;

    set $MAGE_ROOT /home/website/htdocs;

    root $MAGE_ROOT/pub;

    index index.php;
    autoindex off;
    charset UTF-8;

    access_log /home/website/logs/access.log main;
    error_log /home/website/logs/error.log warn;

    set_real_ip_from 127.0.0.1;
    real_ip_header X-Real-IP;
    real_ip_recursive on;

    location /.user.ini {
        deny all;
    }

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location /pub/ {
        location ~ ^/pub/media/(downloadable|customer|import|custom_options|theme_customization/.*\.xml) {
            deny all;
        }

        alias $MAGE_ROOT/pub/;
        add_header X-Frame-Options "SAMEORIGIN";
    }

    location /static/ {
        expires max;

        location ~ ^/static/version {
            rewrite ^/static/(version\d*/)?(.*)$ /static/$2 last;
        }

        location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2|html|json)$ {
            add_header Cache-Control "public";
            add_header X-Frame-Options "SAMEORIGIN";
            expires +1y;

            if (!-f $request_filename) {
                rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
            }
        }

        location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
            add_header Cache-Control "no-store";
            add_header X-Frame-Options "SAMEORIGIN";
            expires    off;

            if (!-f $request_filename) {
               rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
            }
        }

        if (!-f $request_filename) {
            rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
        }

        add_header X-Frame-Options "SAMEORIGIN";
    }

    location /media/ {
        try_files $uri $uri/ /get.php$is_args$args;

        location ~ ^/media/theme_customization/.*\.xml {
            deny all;
        }

        location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
            add_header Cache-Control "public";
            add_header X-Frame-Options "SAMEORIGIN";
            expires +1y;
            try_files $uri $uri/ /get.php$is_args$args;
        }

        location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
            add_header Cache-Control "no-store";
            add_header X-Frame-Options "SAMEORIGIN";
            expires    off;
            try_files $uri $uri/ /get.php$is_args$args;
        }

        add_header X-Frame-Options "SAMEORIGIN";
    }

    location /media/customer/ {
        deny all;
    }

    location /media/downloadable/ {
        deny all;
    }

    location /media/import/ {
        deny all;
    }

    location /media/custom_options/ {
        deny all;
    }

    location /errors/ {
        location ~* \.xml$ {
            deny all;
        }
    }

    location ~ ^/(index|get|static|errors/report|errors/404|errors/503|health_check)\.php$ {
        try_files $uri =404;
        fastcgi_pass   unix:/run/php/php7.3-fpm.sock;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;

        fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
        fastcgi_param  PHP_VALUE "memory_limit=1024M \n max_execution_time=18000";
        fastcgi_read_timeout 600s;
        fastcgi_connect_timeout 600s;

        add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    location ~* (\.php$|\.phtml$|\.htaccess$|\.git) {
        deny all;
    }

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /home/medialounge/letsencrypt;
    }
}

Varnish正在监听端口80，这是我正在使用的VCL配置，以防万一：

# VCL version 5.0 is not supported so it should be 4.0 even though actually used Varnish version is 6
vcl 4.0;

import std;
# The minimal Varnish version is 6.0
# For SSL offloading, pass the following header in your proxy server or load balancer: 'X-Forwarded-Proto: https'

backend default {
    .host = "localhost";
    .port = "8080";
    .first_byte_timeout = 600s;
    .probe = {
        .url = "/health_check.php";
        .timeout = 2s;
        .interval = 5s;
        .window = 10;
        .threshold = 5;
   }
}

acl purge {
    "localhost";
}

sub vcl_recv {
    if (req.method == "PURGE") {
        if (client.ip !~ purge) {
            return (synth(405, "Method not allowed"));
        }
        # To use the X-Pool header for purging varnish during automated deployments, make sure the X-Pool header
        # has been added to the response in your backend server config. This is used, for example, by the
        # capistrano-magento2 gem for purging old content from varnish during it's deploy routine.
        if (!req.http.X-Magento-Tags-Pattern && !req.http.X-Pool) {
            return (synth(400, "X-Magento-Tags-Pattern or X-Pool header required"));
        }
        if (req.http.X-Magento-Tags-Pattern) {
          ban("obj.http.X-Magento-Tags ~ " + req.http.X-Magento-Tags-Pattern);
        }
        if (req.http.X-Pool) {
          ban("obj.http.X-Pool ~ " + req.http.X-Pool);
        }
        return (synth(200, "Purged"));
    }

    if (req.method != "GET" &&
        req.method != "HEAD" &&
        req.method != "PUT" &&
        req.method != "POST" &&
        req.method != "TRACE" &&
        req.method != "OPTIONS" &&
        req.method != "DELETE") {
          /* Non-RFC2616 or CONNECT which is weird. */
          return (pipe);
    }

    # We only deal with GET and HEAD by default
    if (req.method != "GET" && req.method != "HEAD") {
        return (pass);
    }

    # Bypass shopping cart, checkout and search requests
    if (req.url ~ "/checkout" || req.url ~ "/catalogsearch") {
        return (pass);
    }

    # Bypass health check requests
    if (req.url ~ "/pub/health_check.php") {
        return (pass);
    }

    # Set initial grace period usage status
    set req.http.grace = "none";

    # normalize url in case of leading HTTP scheme and domain
    set req.url = regsub(req.url, "^http[s]?://", "");

    # collect all cookies
    std.collect(req.http.Cookie);

    # Compression filter. See https://www.varnish-cache.org/trac/wiki/FAQ/Compression
    if (req.http.Accept-Encoding) {
        if (req.url ~ "\.(jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {
            # No point in compressing these
            unset req.http.Accept-Encoding;
        } elsif (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
            set req.http.Accept-Encoding = "deflate";
        } else {
            # unknown algorithm
            unset req.http.Accept-Encoding;
        }
    }

    # Remove all marketing get parameters to minimize the cache objects
    if (req.url ~ "(\?|&)(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
        set req.url = regsuball(req.url, "(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
        set req.url = regsub(req.url, "[?|&]+$", "");
    }

    # Static files caching
    if (req.url ~ "^/(pub/)?(media|static)/") {
        # Static files should not be cached by default
        #return (pass);

        # But if you use a few locales and don't use CDN you can enable caching static files by commenting previous line (#return (pass);) and uncommenting next 3 lines
        unset req.http.Https;
        unset req.http.X-Forwarded-Proto;
        unset req.http.Cookie;
    }

    return (hash);
}

sub vcl_hash {
    if (req.http.cookie ~ "X-Magento-Vary=") {
        hash_data(regsub(req.http.cookie, "^.*?X-Magento-Vary=([^;]+);*.*$", "\1"));
    }

    # For multi site configurations to not cache each other's content
    if (req.http.host) {
        hash_data(req.http.host);
    } else {
        hash_data(server.ip);
    }

    # To make sure http users don't see ssl warning
    if (req.http.X-Forwarded-Proto) {
        hash_data(req.http.X-Forwarded-Proto);
    }


    if (req.url ~ "/graphql") {
        call process_graphql_headers;
    }
}

sub process_graphql_headers {
    if (req.http.Store) {
        hash_data(req.http.Store);
    }
    if (req.http.Content-Currency) {
        hash_data(req.http.Content-Currency);
    }
}

sub vcl_backend_response {

    set beresp.grace = 3d;

    if (beresp.http.content-type ~ "text") {
        set beresp.do_esi = true;
    }

    if (bereq.url ~ "\.js$" || beresp.http.content-type ~ "text") {
        set beresp.do_gzip = true;
    }

    if (beresp.http.X-Magento-Debug) {
        set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
    }

    # cache only successfully responses and 404s
    if (beresp.status != 200 && beresp.status != 404) {
        set beresp.ttl = 0s;
        set beresp.uncacheable = true;
        return (deliver);
    } elsif (beresp.http.Cache-Control ~ "private") {
        set beresp.uncacheable = true;
        set beresp.ttl = 86400s;
        return (deliver);
    }

    # validate if we need to cache it and prevent from setting cookie
    if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
        unset beresp.http.set-cookie;
    }

   # If page is not cacheable then bypass varnish for 2 minutes as Hit-For-Pass
   if (beresp.ttl <= 0s ||
       beresp.http.Surrogate-control ~ "no-store" ||
       (!beresp.http.Surrogate-Control &&
       beresp.http.Cache-Control ~ "no-cache|no-store") ||
       beresp.http.Vary == "*") {
        # Mark as Hit-For-Pass for the next 2 minutes
        set beresp.ttl = 120s;
        set beresp.uncacheable = true;
    }

    return (deliver);
}

sub vcl_deliver {
    if (resp.http.X-Magento-Debug) {
        if (resp.http.x-varnish ~ " ") {
            set resp.http.X-Magento-Cache-Debug = "HIT";
            set resp.http.Grace = req.http.grace;
        } else {
            set resp.http.X-Magento-Cache-Debug = "MISS";
        }
    } else {
        unset resp.http.Age;
    }

    # Not letting browser to cache non-static files.
    if (resp.http.Cache-Control !~ "private" && req.url !~ "^/(pub/)?(media|static)/") {
        set resp.http.Pragma = "no-cache";
        set resp.http.Expires = "-1";
        set resp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
    }

    unset resp.http.X-Magento-Debug;
    unset resp.http.X-Magento-Tags;
    unset resp.http.X-Powered-By;
    unset resp.http.Server;
    unset resp.http.X-Varnish;
    unset resp.http.Via;
    unset resp.http.Link;
}

sub vcl_hit {
    if (obj.ttl >= 0s) {
        # Hit within TTL period
        return (deliver);
    }
    if (std.healthy(req.backend_hint)) {
        if (obj.ttl + 300s > 0s) {
            # Hit after TTL expiration, but within grace period
            set req.http.grace = "normal (healthy server)";
            return (deliver);
        } else {
            # Hit after TTL and grace expiration
            return (restart);
        }
    } else {
        # server is not healthy, retrieve from cache
        set req.http.grace = "unlimited (unhealthy server)";
        return (deliver);
    }
}

不支持VCL版本5.0，因此它应该是4.0，即使实际使用的版本是6 vcl4.0； 进口性病； #最低的清漆版本是6.0 #对于SSL卸载，请在代理服务器或负载平衡器中传递以下标头：“X-Forwarded-Proto:https” 后端默认值{ .host=“localhost”； .port=“8080”； .第一字节超时=600s； .probe={ .url=“/health\u check.php”； .超时=2s； .间隔=5s； .window=10； .阈值=5； } } acl清除{ “本地主机”； } 子vcl_recv{ 如果（请求方法==“清除”）{ 如果（client.ip！~purge）{ 返回（synth（405，“不允许使用方法”）； } #要在自动部署期间使用X-Pool标头清除清漆，请确保X-Pool标头 #已添加到后端服务器配置中的响应中。例如 #capistrano-magento2 gem，用于在部署例程期间从varnish中清除旧内容。 if（！req.http.X-Magento-Tags-Pattern&&！req.http.X-Pool）{ 返回（synth（400，“需要X-Magento-Tags-Pattern或X-Pool标头”）； } if（请求http.X-Magento-Tags-Pattern）{ ban（“obj.http.X-Magento-Tags~”+req.http.X-Magento-Tags-Pattern）； } if（请求http.X-Pool）{ ban（“obj.http.X-Pool~”+req.http.X-Pool）； } 返回（synth（200，“净化”）； } 如果（请求方法！=“获取”&& 请求方法！=“头”&& 请求方法！=“放置”&& 请求方法！=“POST”&& 请求方法！=“跟踪”&& 请求方法！=“选项”&& 请求方法！=“删除”）{ /*非RFC2616或连接，这很奇怪*/ 回流管； } #默认情况下，我们只处理GET和HEAD 如果（请求方法！=“GET”&&req方法！=“HEAD”）{ 返回（通行证）； } #绕过购物车、结帐和搜索请求 if（req.url~“/checkout”| | req.url~“/catalogsearch”）{ 返回（通行证）； } #绕过健康检查请求 if（req.url~“/pub/health\u check.php”）{ 返回（通行证）； } #设置初始宽限期使用状态 设置req.http.grace=“无”； #在领先的HTTP方案和域的情况下规范url 设置req.url=regsub（req.url“^http[s]？：/”，”）； #收集所有饼干 std.collect（请求http.Cookie）； #压缩过滤器。请参阅https://www.varnish-cache.org/trac/wiki/FAQ/Compression if（请求http接受编码）{ 如果（req.url~“\（jpg | jpeg | png | gif | gz | tgz | bz2 | tbz | mp3 | ogg | swf | flv）$”）{ #压缩这些没有意义 unset req.http.Accept-Encoding； }elsif（req.http.Accept-Encoding~“gzip”）{ 设置req.http.Accept-Encoding=“gzip”； }elsif（req.http.Accept-Encoding~“deflate”&&req.http.user-agent！~“MSIE”）{ 设置req.http.Accept-Encoding=“deflate”； }否则{ #未知算法 unset req.http.Accept-Encoding； } } #删除所有参数以最小化缓存对象 如果（req.url-“（\？|&）（gclid | cx | ie | cof | siteurl | zanpid | origin | fbclid | mc|[a-z]+| utm|[a-z]+| u bta|[a-z]+）=”）{ set req.url=regsuball（req.url，“（gclid | cx | ie | cof | siteurl | zanpid | origin | fbclid | mc |[a-z]+| utm |[a-z]+）=[-_a-z0-9+（）%.+&]，”； 设置req.url=regsub（req.url，[？|&]+$，“”）； } #静态文件缓存 如果（req.url~“^/（pub/）？（媒体|静态）/”）{ #默认情况下不应缓存静态文件 #返回（通行证）； #但是，如果您使用一些区域设置而不使用CDN，则可以通过注释前一行（#return（pass）；）和取消注释后3行来启用静态文件的缓存 unset req.http.Https； unset req.http.X-Forwarded-Proto； unset req.http.Cookie； } 返回（散列）； } 子vcl_散列{ 如果（req.http.cookie~“X-Magento-Vary=”）{ 散列数据（regsub（req.http.cookie，“^.*？”X-Magento-Vary=（[^；]+）；****$”，“\1”）； } #多站点配置不缓存彼此的内容 if（req.http.host）{ 散列数据（请求http.host）； }否则{ 散列数据（server.ip）； } #确保http用户看不到ssl警告 if（请求http.X-Forwarded-Proto）{ 哈希_数据（请求http.X-Forwarded-Proto）； } if（req.url~“/graphql”）{ 调用进程\图形\标题； } } 子进程\图形\标题{ if（req.http.Store）{ 散列数据（请求http存储）； } if（请求http内容货币）{ 散列数据（请求http内容货币）； } } 子vcl_后端_响应{ 设置beresp.grace=3d； if（beresp.http.content-type~“text”）{ 设置beresp.do_esi=true； } if（bereq.url~“\.js$”| | beresp.http.content-type~“text”）{ 设置beresp.do_gzip=true； } if（beresp.http.X-Magento-Debug）{ 设置beresp.http.X-Magento-Cache-Control=beresp.http.Cache-Control； } #仅缓存成功的响应和404 如果（beresp.status！=200&&beresp.status！=404）{ 设置beresp.ttl=0s； 设置beresp.uncacheable=true； 归还（交付）； }埃尔西夫（ber）

    log_format  main  '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent "$http_referer" ' '"$http_user_agent"';
    set_real_ip_from 127.0.0.1;
    real_ip_header X-Real-IP;
    real_ip_recursive on;