实际场景
用户访问--->阿里云CDN--->机房公网防火墙--->haproxy-→ingress
需要在ingress日志中拿到用户真实IP
ingress配置文件
| Code Block |
|---|
apiVersion: v1
data:
add-headers: ingress-nginx/custom-headers-default
allow-backend-server-header: 'true'
compute-full-forwarded-for: 'true'
enable-underscores-in-headers: 'true'
error-log-level: notice
forwarded-for-header: X-Forwarded-For
generate-request-id: 'true'
hsts: 'false'
ignore-invalid-headers: 'true'
log-format-upstream: >-
$http_x_forwarded_for - [$remote_addr] - $remote_user [$time_local]
"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
$request_length $request_time [$proxy_upstream_name] $upstream_addr
$upstream_response_length $upstream_response_time $upstream_status $req_id
$host [$proxy_alternative_upstream_name]
max-worker-connections: '65535'
proxy-body-size: 4096M
proxy-connect-timeout: '3600'
proxy-read-timeout: '3600'
proxy-send-timeout: '3600'
ssl-ciphers: >-
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl-protocols: TLSv1.2 TLSv1.1 TLSv1
upstream-keepalive-connections: '40000'
use-forwarded-headers: 'true'
use-http2: 'false'
use-proxy-protocol: 'true'
worker-processes: '2'
worker-shutdown-timeout: 2hs
kind: ConfigMap
metadata:
name: ingress-nginx-controller-default
namespace: ingress-nginx |
...