View Source

实际场景

用户访问--->阿里云CDN--->机房公网防火墙--->haproxy-→ingress

需要在ingress日志中拿到用户真实IP

ingress配置文件

---
apiVersion: v1
data:
  add-headers: ingress-nginx/custom-headers-default
  allow-backend-server-header: 'true'
  compute-full-forwarded-for: 'true'
  enable-underscores-in-headers: 'true'
  error-log-level: notice
  forwarded-for-header: X-Forwarded-For
  generate-request-id: 'true'
  hsts: 'false'
  ignore-invalid-headers: 'true'
  log-format-escape-json: 'true'
  log-format-upstream: >-
    {"tags":"nginx-h5", "time_local":"$time_local", "status":"$status",
    "domain_name":"$host", "upstream_status":"$upstream_status",
    "request":"$request", "client_ip":"$http_x_forwarded_for",
    "remote_addr":"$remote_addr", "upstream_addr":"$upstream_addr",
    "msec":"$msec", "upstream_connect_time":"$upstream_connect_time",
    "upstream_response_time":"$upstream_response_time",
    "request_time":"$request_time", "request_length":"$request_length",
    "upstream_response_length":"$upstream_response_length",
    "body_bytes_sent":"$body_bytes_sent",
    "upstream_header_time":"$upstream_header_time",
    "http_referer":"$http_referer", "http_user_agent":"$http_user_agent"}
  max-worker-connections: '65535'
  proxy-body-size: 4096M
  proxy-connect-timeout: '3600'
  proxy-read-timeout: '3600'
  proxy-send-timeout: '3600'
  ssl-ciphers: >-
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  ssl-protocols: TLSv1.2 TLSv1.1 TLSv1
  upstream-keepalive-connections: '40000'
  use-forwarded-headers: 'true'
  use-http2: 'false'
  use-proxy-protocol: 'true'
  worker-processes: '2'
  worker-shutdown-timeout: 2hs
kind: ConfigMap
metadata:
  name: ingress-nginx-controller-default
  namespace: ingress-nginx

haproxy配置文件

listen http-80
  bind 0.0.0.0:80
  mode tcp
  option tcplog
  tcp-request inspect-delay 5s
  default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
  server ingress-nginx-controller1 10.10.21.120:80 send-proxy check
  server ingress-nginx-controller2 10.10.21.122:80 send-proxy check
  server ingress-nginx-controller3 10.10.21.124:80 send-proxy check

listen https-443
  bind 0.0.0.0:443
  mode tcp
  option tcplog
  tcp-request inspect-delay 5s
  default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
  server ingress-nginx-controller1 10.10.21.120:443 send-proxy check
  server ingress-nginx-controller2 10.10.21.122:443 send-proxy check
  server ingress-nginx-controller3 10.10.21.124:443 send-proxy check