754
反向代理及如何獲得原始IP
在現代網站架構中,scalability 已經不再是可有可無的質量屬性,而是決定著網站的生死攸關,所以稍微上規模的站點都不會隻有一個web server,讓internet clients 直接與其交互,出於安全性和scale out的考量,一般都會在web server 和用戶之間設置Reverse Proxy server 或者 Load-Balancer, 又或者是RP 和 LB 的組合。其好處,網絡上已經有較多的資料,此處不再贅述。
下麵看一個RP和LB組合使用的例子:
Here is the flow of the requests and responses:
- The client gets connected through the firewall to thereverse-proxy in the DMZ and send it its request.
- The Reverse-Proxy validates the request, analyzes it to choose the right farm then forward it to theload-balancer in the LAN, through the firewall.
- The Load-balancer choose a server in the farm and forward the request to it
- The server processes the request then answers to the load-balancer
- The load-balancer forward the response to the reverse-proxy
- The reverse-proxy forward the response to the client
And of course, the more you chain load-balancer and reverse proxies, the more the source IP will be changed.
那麼怎樣獲取原始IP呢? 因為source IP 對後端應用非常有用,比如根據IP定位用戶所在區域,以便提供localized的服務; 根據用戶IP做風險評估 (是不是惡意攻擊IP?)
一個比較簡單的辦法是增加一個自定義的HTTP Header -- X-Forwarded-For (XFF) for identifying originating IP address of a client connecting to a web server through an HTTP Proxy.
當然你也可以根據你公司的naming convention, 定義自己的Header, 比如在eBay,It is X-eBay-Client-IP
eBay內部描述:
Operations
started introducing Layer 7 load balancers (NetScaler) on site. From application server point of view requests arrive with the source IP address of the load balancer. Many eBay applications need to know the source IP address of the client. To support this
requirement we introduce a standard for eBay HTTP header X-eBay-Client-IP.
Netscaler and other similar devices will set this header and applications will know to use it.
參考:
https://blog.exceliance.fr/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/
最後更新:2017-04-03 12:56:08