七层IP透传测试
原理同nginx通过配置将客户端ip添加到 xforwordefor 请求头中,具体如下:
globallog 127.0.0.1 local3 info chroot /usr/local/haproxypidfile /var/run/haproxy.pid maxconn 65530 user haproxygroup haproxydaemon
defaultslog global log 127.0.0.1 local3 info mode http option httplog option dontlognull option httpclose
# option forwardforretries 3 maxconn 65530 timeout http-request 10stimeout queue 1mtimeout connect 60s timeout client 2m timeout server 2m timeout http-keep-alive 10stimeout check 10sfrontend frontend_httpbind *:80option tcplogoption forwardformode httpdefault_backend backend_http
backend backend_httpmode httpbalance roundrobinserver emqx_node_1 192.168.47.11:8080 checkserver emqx_node_2 192.168.47.12:8080 checkfrontend frontend_httpsbind *:443option tcplogmode tcpdefault_backend backend_https
backend backend_httpsmode tcpbalance roundrobinserver emqx_node_3 192.168.47.11:8443 checkserver emqx_node_4 192.168.47.12:8443 check
listen haproxy_statusbind *:9800mode httpoption httplogmaxconn 200stats refresh 120slog 127.0.0.1 local0 errstats uri /haproxy-statusstats realm welcome login\haproxystats auth admin:123456stats hide-versionstats admin if TRUE
# 测试 针对 http 的请求 增加了 option forwardfor 支持 forwardfor 发现 客户端ip被添加到了 xforwardfor 请求头中
# 四层
IP透传测试
haproxy四层透传ip实现方式 是通过支持proxy-protocal 协议来实现,拿到四层流量后将客户端ip信息写入到数据包中,后端服务也必须支持proxy-protocal ,否则会报错。测试如下:
haproxy 配置如下:
globallog 127.0.0.1 local3 info chroot /usr/local/haproxypidfile /var/run/haproxy.pid maxconn 65530 user haproxygroup haproxydaemon
defaultslog global log 127.0.0.1 local3 info mode http option httplog option dontlognull option httpclose
# option forwardforretries 3 maxconn 65530 timeout http-request 10stimeout queue 1mtimeout connect 60s timeout client 2m timeout server 2m timeout http-keep-alive 10stimeout check 10sfrontend frontend_httpbind *:80option tcplogoption forwardfor mode httpdefault_backend backend_http
backend backend_httpmode httpbalance roundrobinserver emqx_node_1 192.168.47.11:8080 checkserver emqx_node_2 192.168.47.12:8080 checkfrontend frontend_httpsbind *:443option tcplogmode tcpdefault_backend backend_https
backend backend_httpsmode tcpbalance roundrobin# server emqx_node_3 192.168.47.11:8443 send-proxy check#server emqx_node_4 192.168.47.12:8443 check server emqx_node_5 192.168.47.10:808 send-proxy check --四层在代理服务器后 增加 send-proxy 配置 listen haproxy_statusbind *:9800mode httpoption httplogmaxconn 200stats refresh 120slog 127.0.0.1 local0 errstats uri /haproxy-statusstats realm welcome login\haproxystats auth admin:123456stats hide-versionstats admin if TRUE
重新启动haproxy 服务
# 可以看到请求头中
# 备注 :
nginx 支持 proxy_protocal,因此后端服务器我们使用nginx,tomcat 不支持 如果后端服务器是tomcat 那么代理会不成功,tomcat读取请求包会报错。
nginx 安装 需要带有 realip等模块如下:–nginx版本 1.20
————————————————
原文链接:https://blog.csdn.net/zhangxm_qz/article/details/124117546