测试服务器上有一个真实的 nginx,docker 运行 php + nginx 项目。
反代理后出现无法获取客户端真实 ip 及 host 的情况,解决如下:
宿主 nginx 配置:
server { server_name xscenic.*.com; charset utf-8; # 后端 api location ~ /tianshi { rewrite /tianshi/(.*) /$1 break; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-Port $remote_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:4000; } # 静态资源 location = /ts { rewrite ^/(.*) /ts/index.html redirect; } location = /ts/ { rewrite ^/(.*) /ts/index.html redirect; } location = /ts/3d { rewrite ^/(.*) /ts/3d/index.html redirect; } location = /ts/3d/ { rewrite ^/(.*) /ts/3d/index.html redirect; } location ^~ /ts/ { proxy_pass http://xscenic-*.com; proxy_redirect off; proxy_http_version 1.1; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-Port $remote_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Connection keep-alive; proxy_set_header Keep-Alive 600; proxy_set_header referer scenic.xxx.com; keepalive_timeout 600; } }
docker nginx 容器中配置:
user nginx; worker_processes 1; pid /var/run/nginx.pid; # error_log /var/log/dnmp/nginx.error.log warn; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # access_log /dev/null; #access_log /var/log/dnmp/nginx.access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; gzip on; include /etc/nginx/conf.d/*.conf; }
添加一个 map 记录反代的 $scheme
反代配置不要忘记 添加 proxy_set_header X-Forwarded-Proto $scheme;
map $http_x_forwarded_proto $fe_https { default off; https on; } server { listen 80; # server_name localhost 0.0.0.0; root /var/www/html/api/public; index index.php index.html index.htm; charset utf-8; client_max_body_size 100M; # access_log /dev/null; # access_log /var/log/dnmp/nginx.site1.access.log main; # error_log /var/log/dnmp/nginx.site1.error.log warn; #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } location / { index index.html index.php; if (-f $request_filename/index.html){ rewrite (.*) $1/index.html break; } if (-f $request_filename/index.php){ rewrite (.*) $1/index.php; } if (!-f $request_filename){ rewrite (.*) /index.php; } } #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Real-Port $remote_port; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # api doc location = /apidoc { set $my_port 4000; if ($host = 'fanhengyuan1994.vicp.cc'){ set $my_port 13259; } rewrite ^/(.*) $scheme://$host:$my_port/apidoc/ redirect; } location = /apidoc/ { try_files $uri $uri/ =404; } # deny accessing php files for the /assets directory location ~ ^/assets/.*\.php$ { deny all; } location ~ \.php$ { fastcgi_pass php:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; set $realip $remote_addr; if ($http_x_forwarded_for ~ "^(\d+\.\d+\.\d+\.\d+)") { set $realip $1; } fastcgi_param REMOTE_ADDR $realip; fastcgi_param HTTPS $fe_https; } location ~/.well-know { allow all; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\.ht { deny all; } }