在nginx访问日志中将本地Varnish IP附加到真实IP
我在web服务器上使用Varnish+nginx,我试图在access.log中获得访问我网站的用户的真实IP,我能够让它工作,但出于某种原因,我的本地IP(Varnish运行的源IP)也被附加到日志条目中,如下所示:在nginx访问日志中将本地Varnish IP附加到真实IP,nginx,logging,varnish,nginx-reverse-proxy,Nginx,Logging,Varnish,Nginx Reverse Proxy,我在web服务器上使用Varnish+nginx,我试图在access.log中获得访问我网站的用户的真实IP,我能够让它工作,但出于某种原因,我的本地IP(Varnish运行的源IP)也被附加到日志条目中,如下所示: 1.2.3.4, 127.0.0.1 - - [08/Oct/2020:10:39:39 +0100] "GET / HTTP/1.1" 200 488 "https://website.com/example" "Mozilla
1.2.3.4, 127.0.0.1 - - [08/Oct/2020:10:39:39 +0100] "GET / HTTP/1.1" 200 488 "https://website.com/example" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36"
其中1.2.3.4
是真正的IP
我尝试将set_real_ip_from
和real_ip_header
添加到我的服务器块nginx配置中,但似乎没有帮助。以下是我使用的日志格式:
log_format main '$http_x_forwarded_for - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent "$http_referer" ' '"$http_user_agent"';
这是我的网站配置:
website.conf
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name website.com;
ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
fastcgi_buffer_size 32k;
fastcgi_buffers 4 32k;
}
}
server {
listen [::]:8080;
listen 8080;
server_name website.com;
set $MAGE_ROOT /home/website/htdocs;
root $MAGE_ROOT/pub;
index index.php;
autoindex off;
charset UTF-8;
access_log /home/website/logs/access.log main;
error_log /home/website/logs/error.log warn;
set_real_ip_from 127.0.0.1;
real_ip_header X-Real-IP;
real_ip_recursive on;
location /.user.ini {
deny all;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location /pub/ {
location ~ ^/pub/media/(downloadable|customer|import|custom_options|theme_customization/.*\.xml) {
deny all;
}
alias $MAGE_ROOT/pub/;
add_header X-Frame-Options "SAMEORIGIN";
}
location /static/ {
expires max;
location ~ ^/static/version {
rewrite ^/static/(version\d*/)?(.*)$ /static/$2 last;
}
location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2|html|json)$ {
add_header Cache-Control "public";
add_header X-Frame-Options "SAMEORIGIN";
expires +1y;
if (!-f $request_filename) {
rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
}
}
location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
add_header Cache-Control "no-store";
add_header X-Frame-Options "SAMEORIGIN";
expires off;
if (!-f $request_filename) {
rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
}
}
if (!-f $request_filename) {
rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
}
add_header X-Frame-Options "SAMEORIGIN";
}
location /media/ {
try_files $uri $uri/ /get.php$is_args$args;
location ~ ^/media/theme_customization/.*\.xml {
deny all;
}
location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
add_header Cache-Control "public";
add_header X-Frame-Options "SAMEORIGIN";
expires +1y;
try_files $uri $uri/ /get.php$is_args$args;
}
location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
add_header Cache-Control "no-store";
add_header X-Frame-Options "SAMEORIGIN";
expires off;
try_files $uri $uri/ /get.php$is_args$args;
}
add_header X-Frame-Options "SAMEORIGIN";
}
location /media/customer/ {
deny all;
}
location /media/downloadable/ {
deny all;
}
location /media/import/ {
deny all;
}
location /media/custom_options/ {
deny all;
}
location /errors/ {
location ~* \.xml$ {
deny all;
}
}
location ~ ^/(index|get|static|errors/report|errors/404|errors/503|health_check)\.php$ {
try_files $uri =404;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_param PHP_FLAG "session.auto_start=off \n suhosin.session.cryptua=off";
fastcgi_param PHP_VALUE "memory_limit=1024M \n max_execution_time=18000";
fastcgi_read_timeout 600s;
fastcgi_connect_timeout 600s;
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* (\.php$|\.phtml$|\.htaccess$|\.git) {
deny all;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /home/medialounge/letsencrypt;
}
}
Varnish正在监听端口80,这是我正在使用的VCL配置,以防万一:
# VCL version 5.0 is not supported so it should be 4.0 even though actually used Varnish version is 6
vcl 4.0;
import std;
# The minimal Varnish version is 6.0
# For SSL offloading, pass the following header in your proxy server or load balancer: 'X-Forwarded-Proto: https'
backend default {
.host = "localhost";
.port = "8080";
.first_byte_timeout = 600s;
.probe = {
.url = "/health_check.php";
.timeout = 2s;
.interval = 5s;
.window = 10;
.threshold = 5;
}
}
acl purge {
"localhost";
}
sub vcl_recv {
if (req.method == "PURGE") {
if (client.ip !~ purge) {
return (synth(405, "Method not allowed"));
}
# To use the X-Pool header for purging varnish during automated deployments, make sure the X-Pool header
# has been added to the response in your backend server config. This is used, for example, by the
# capistrano-magento2 gem for purging old content from varnish during it's deploy routine.
if (!req.http.X-Magento-Tags-Pattern && !req.http.X-Pool) {
return (synth(400, "X-Magento-Tags-Pattern or X-Pool header required"));
}
if (req.http.X-Magento-Tags-Pattern) {
ban("obj.http.X-Magento-Tags ~ " + req.http.X-Magento-Tags-Pattern);
}
if (req.http.X-Pool) {
ban("obj.http.X-Pool ~ " + req.http.X-Pool);
}
return (synth(200, "Purged"));
}
if (req.method != "GET" &&
req.method != "HEAD" &&
req.method != "PUT" &&
req.method != "POST" &&
req.method != "TRACE" &&
req.method != "OPTIONS" &&
req.method != "DELETE") {
/* Non-RFC2616 or CONNECT which is weird. */
return (pipe);
}
# We only deal with GET and HEAD by default
if (req.method != "GET" && req.method != "HEAD") {
return (pass);
}
# Bypass shopping cart, checkout and search requests
if (req.url ~ "/checkout" || req.url ~ "/catalogsearch") {
return (pass);
}
# Bypass health check requests
if (req.url ~ "/pub/health_check.php") {
return (pass);
}
# Set initial grace period usage status
set req.http.grace = "none";
# normalize url in case of leading HTTP scheme and domain
set req.url = regsub(req.url, "^http[s]?://", "");
# collect all cookies
std.collect(req.http.Cookie);
# Compression filter. See https://www.varnish-cache.org/trac/wiki/FAQ/Compression
if (req.http.Accept-Encoding) {
if (req.url ~ "\.(jpg|jpeg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|swf|flv)$") {
# No point in compressing these
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate" && req.http.user-agent !~ "MSIE") {
set req.http.Accept-Encoding = "deflate";
} else {
# unknown algorithm
unset req.http.Accept-Encoding;
}
}
# Remove all marketing get parameters to minimize the cache objects
if (req.url ~ "(\?|&)(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=") {
set req.url = regsuball(req.url, "(gclid|cx|ie|cof|siteurl|zanpid|origin|fbclid|mc_[a-z]+|utm_[a-z]+|_bta_[a-z]+)=[-_A-z0-9+()%.]+&?", "");
set req.url = regsub(req.url, "[?|&]+$", "");
}
# Static files caching
if (req.url ~ "^/(pub/)?(media|static)/") {
# Static files should not be cached by default
#return (pass);
# But if you use a few locales and don't use CDN you can enable caching static files by commenting previous line (#return (pass);) and uncommenting next 3 lines
unset req.http.Https;
unset req.http.X-Forwarded-Proto;
unset req.http.Cookie;
}
return (hash);
}
sub vcl_hash {
if (req.http.cookie ~ "X-Magento-Vary=") {
hash_data(regsub(req.http.cookie, "^.*?X-Magento-Vary=([^;]+);*.*$", "\1"));
}
# For multi site configurations to not cache each other's content
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
# To make sure http users don't see ssl warning
if (req.http.X-Forwarded-Proto) {
hash_data(req.http.X-Forwarded-Proto);
}
if (req.url ~ "/graphql") {
call process_graphql_headers;
}
}
sub process_graphql_headers {
if (req.http.Store) {
hash_data(req.http.Store);
}
if (req.http.Content-Currency) {
hash_data(req.http.Content-Currency);
}
}
sub vcl_backend_response {
set beresp.grace = 3d;
if (beresp.http.content-type ~ "text") {
set beresp.do_esi = true;
}
if (bereq.url ~ "\.js$" || beresp.http.content-type ~ "text") {
set beresp.do_gzip = true;
}
if (beresp.http.X-Magento-Debug) {
set beresp.http.X-Magento-Cache-Control = beresp.http.Cache-Control;
}
# cache only successfully responses and 404s
if (beresp.status != 200 && beresp.status != 404) {
set beresp.ttl = 0s;
set beresp.uncacheable = true;
return (deliver);
} elsif (beresp.http.Cache-Control ~ "private") {
set beresp.uncacheable = true;
set beresp.ttl = 86400s;
return (deliver);
}
# validate if we need to cache it and prevent from setting cookie
if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD")) {
unset beresp.http.set-cookie;
}
# If page is not cacheable then bypass varnish for 2 minutes as Hit-For-Pass
if (beresp.ttl <= 0s ||
beresp.http.Surrogate-control ~ "no-store" ||
(!beresp.http.Surrogate-Control &&
beresp.http.Cache-Control ~ "no-cache|no-store") ||
beresp.http.Vary == "*") {
# Mark as Hit-For-Pass for the next 2 minutes
set beresp.ttl = 120s;
set beresp.uncacheable = true;
}
return (deliver);
}
sub vcl_deliver {
if (resp.http.X-Magento-Debug) {
if (resp.http.x-varnish ~ " ") {
set resp.http.X-Magento-Cache-Debug = "HIT";
set resp.http.Grace = req.http.grace;
} else {
set resp.http.X-Magento-Cache-Debug = "MISS";
}
} else {
unset resp.http.Age;
}
# Not letting browser to cache non-static files.
if (resp.http.Cache-Control !~ "private" && req.url !~ "^/(pub/)?(media|static)/") {
set resp.http.Pragma = "no-cache";
set resp.http.Expires = "-1";
set resp.http.Cache-Control = "no-store, no-cache, must-revalidate, max-age=0";
}
unset resp.http.X-Magento-Debug;
unset resp.http.X-Magento-Tags;
unset resp.http.X-Powered-By;
unset resp.http.Server;
unset resp.http.X-Varnish;
unset resp.http.Via;
unset resp.http.Link;
}
sub vcl_hit {
if (obj.ttl >= 0s) {
# Hit within TTL period
return (deliver);
}
if (std.healthy(req.backend_hint)) {
if (obj.ttl + 300s > 0s) {
# Hit after TTL expiration, but within grace period
set req.http.grace = "normal (healthy server)";
return (deliver);
} else {
# Hit after TTL and grace expiration
return (restart);
}
} else {
# server is not healthy, retrieve from cache
set req.http.grace = "unlimited (unhealthy server)";
return (deliver);
}
}
不支持VCL版本5.0,因此它应该是4.0,即使实际使用的版本是6
vcl4.0;
进口性病;
#最低的清漆版本是6.0
#对于SSL卸载,请在代理服务器或负载平衡器中传递以下标头:“X-Forwarded-Proto:https”
后端默认值{
.host=“localhost”;
.port=“8080”;
.第一字节超时=600s;
.probe={
.url=“/health\u check.php”;
.超时=2s;
.间隔=5s;
.window=10;
.阈值=5;
}
}
acl清除{
“本地主机”;
}
子vcl_recv{
如果(请求方法==“清除”){
如果(client.ip!~purge){
返回(synth(405,“不允许使用方法”);
}
#要在自动部署期间使用X-Pool标头清除清漆,请确保X-Pool标头
#已添加到后端服务器配置中的响应中。例如
#capistrano-magento2 gem,用于在部署例程期间从varnish中清除旧内容。
if(!req.http.X-Magento-Tags-Pattern&&!req.http.X-Pool){
返回(synth(400,“需要X-Magento-Tags-Pattern或X-Pool标头”);
}
if(请求http.X-Magento-Tags-Pattern){
ban(“obj.http.X-Magento-Tags~”+req.http.X-Magento-Tags-Pattern);
}
if(请求http.X-Pool){
ban(“obj.http.X-Pool~”+req.http.X-Pool);
}
返回(synth(200,“净化”);
}
如果(请求方法!=“获取”&&
请求方法!=“头”&&
请求方法!=“放置”&&
请求方法!=“POST”&&
请求方法!=“跟踪”&&
请求方法!=“选项”&&
请求方法!=“删除”){
/*非RFC2616或连接,这很奇怪*/
回流管;
}
#默认情况下,我们只处理GET和HEAD
如果(请求方法!=“GET”&&req方法!=“HEAD”){
返回(通行证);
}
#绕过购物车、结帐和搜索请求
if(req.url~“/checkout”| | req.url~“/catalogsearch”){
返回(通行证);
}
#绕过健康检查请求
if(req.url~“/pub/health\u check.php”){
返回(通行证);
}
#设置初始宽限期使用状态
设置req.http.grace=“无”;
#在领先的HTTP方案和域的情况下规范url
设置req.url=regsub(req.url“^http[s]?:/”,”);
#收集所有饼干
std.collect(请求http.Cookie);
#压缩过滤器。请参阅https://www.varnish-cache.org/trac/wiki/FAQ/Compression
if(请求http接受编码){
如果(req.url~“\(jpg | jpeg | png | gif | gz | tgz | bz2 | tbz | mp3 | ogg | swf | flv)$”){
#压缩这些没有意义
unset req.http.Accept-Encoding;
}elsif(req.http.Accept-Encoding~“gzip”){
设置req.http.Accept-Encoding=“gzip”;
}elsif(req.http.Accept-Encoding~“deflate”&&req.http.user-agent!~“MSIE”){
设置req.http.Accept-Encoding=“deflate”;
}否则{
#未知算法
unset req.http.Accept-Encoding;
}
}
#删除所有参数以最小化缓存对象
如果(req.url-“(\?|&)(gclid | cx | ie | cof | siteurl | zanpid | origin | fbclid | mc|[a-z]+| utm|[a-z]+| u bta|[a-z]+)=”){
set req.url=regsuball(req.url,“(gclid | cx | ie | cof | siteurl | zanpid | origin | fbclid | mc |[a-z]+| utm |[a-z]+)=[-_a-z0-9+()%.+&],”;
设置req.url=regsub(req.url,[?|&]+$,“”);
}
#静态文件缓存
如果(req.url~“^/(pub/)?(媒体|静态)/”){
#默认情况下不应缓存静态文件
#返回(通行证);
#但是,如果您使用一些区域设置而不使用CDN,则可以通过注释前一行(#return(pass);)和取消注释后3行来启用静态文件的缓存
unset req.http.Https;
unset req.http.X-Forwarded-Proto;
unset req.http.Cookie;
}
返回(散列);
}
子vcl_散列{
如果(req.http.cookie~“X-Magento-Vary=”){
散列数据(regsub(req.http.cookie,“^.*?”X-Magento-Vary=([^;]+);****$”,“\1”);
}
#多站点配置不缓存彼此的内容
if(req.http.host){
散列数据(请求http.host);
}否则{
散列数据(server.ip);
}
#确保http用户看不到ssl警告
if(请求http.X-Forwarded-Proto){
哈希_数据(请求http.X-Forwarded-Proto);
}
if(req.url~“/graphql”){
调用进程\图形\标题;
}
}
子进程\图形\标题{
if(req.http.Store){
散列数据(请求http存储);
}
if(请求http内容货币){
散列数据(请求http内容货币);
}
}
子vcl_后端_响应{
设置beresp.grace=3d;
if(beresp.http.content-type~“text”){
设置beresp.do_esi=true;
}
if(bereq.url~“\.js$”| | beresp.http.content-type~“text”){
设置beresp.do_gzip=true;
}
if(beresp.http.X-Magento-Debug){
设置beresp.http.X-Magento-Cache-Control=beresp.http.Cache-Control;
}
#仅缓存成功的响应和404
如果(beresp.status!=200&&beresp.status!=404){
设置beresp.ttl=0s;
设置beresp.uncacheable=true;
归还(交付);
}埃尔西夫(ber)
log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent "$http_referer" ' '"$http_user_agent"';
set_real_ip_from 127.0.0.1;
real_ip_header X-Real-IP;
real_ip_recursive on;