Recently, when Qiufu was maintaining a client's website, the client requested that access from foreign IPs be blocked. According to the logs, most of the attacking IPs came from abroad, and the target users were domestic, so only domestic IPs were allowed to access the website. Can block the vast majority of CC and DDoS attacks. After actual testing, it was found that the effect is still good, and the cost of attacking again has increased a lot.
However, a problem was later discovered. After using Cloudflare CDN, the IP addresses obtained by the website were all from Cloudflare's CDN nodes. The IP addresses of real users could not be obtained, and the defense effect was greatly reduced. Fortunately, Cloudflare has already thought of this for us by including the visitor's IP address in the X-Forwarded-For header and the CF-Connecting-IP header.
With the X-Forwarded-For header, you can use the ngx_http_realip_module module if it's Nginx or the mod_remoteip module if it's Apache to get the user's real IP. This article will share how to compile and enable the ngx_http_realip_module module and mod_remoteip module to obtain the user's real IP address.
Generally speaking, CDN vendors have adopted standard protocols such as X-Forwarded-For and X-Real_IP, so the access to obtain the user's real IP introduced in this article is basically applicable to other CDN vendors. For more information on CDN acceleration and server optimization and acceleration methods, here are:
- Cloudflare Partner access management Cloudflare CDN-enable Railgun dynamic acceleration
- Youpaiyun CDN acceleration application tutorial - one-click mirroring, static dynamic CDN and free SSL
- How to enable Nginx fastcgi_cache cache acceleration in WordPress - Nginx configuration example
1. Nginx compiles ngx_http_realip_module
1.1 Oneinstack compilation
If you are using the Oneinstack one-click package, you can use the following command to compile ngx_http_realip_module:
#下编译安装nginx的时候,都编译安装的哪些模块 [root@wzfoume ~]# nginx -V nginx version: nginx/1.14.2 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) built with OpenSSL 1.1.1a 20 Nov 2018 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.1.1a --with-pcre=../pcre-8.42 --with-pcre-jit --with-ld-opt=-ljemalloc #进入到oneinstack的nginx安装目录下,如果没有请先解压 [root@wzfoume src]# cd /root/oneinstack/src [root@wzfoume src]# tar xzf nginx-1.14.2.tar.gz [root@wzfoume src]# cd /root/oneinstack/src/nginx-1.14.2 [root@wzfoume nginx-1.14.2]# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.1.1a --with-pcre=../pcre-8.42 --with-pcre-jit --with-ld-opt=-ljemalloc --with-http_realip_module make #如果出现错误,应该是依赖路径不对,请cd ..到上一个目录解压相应的软件 tar xzf pcre-8.42.tar.gz tar xzf openssl-1.0.2q.tar.gz tar xzf openssl-1.1.1a.tar.gz #编译完成,备份原先配置,然后替换nginx二进制文件 mv /usr/local/nginx/sbin/nginx{,_`date +%F`} #备份nginx cp objs/nginx /usr/local/nginx/sbin #查看是否已经把http_realip_module模块加入进去 nginx -V
1.2 LNMP compilation
If you are using the LNMP one-click package, find lnmp.conf in the lnmp installation directory and edit it, add realip to Nginx_Modules_Options
, save and execute ./upgrade.sh nginx
to Just upgrade Nginx. The command is as follows:
Nginx_Modules_Options='--with-http_realip_module'
1.3 BT Pagoda Panel
If you are using BT Pagoda panel, you can use the following command to compile ngx_http_realip_module:
#宝塔面板安装模块 #先查看一下本机的Nginx配置情况 [root@cs ~]# nginx -V nginx version: nginx/1.14.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.0.2l 25 May 2017 TLS SNI support enabled configure arguments: --user=www --group=www --prefix=/www/server/nginx --with-openssl=/www/server/nginx/src/openssl --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/nginx/src/ngx_cache_purge --add-module=/www/server/nginx/src/nginx-sticky-module --add-module=/www/server/nginx/src/nginx-http-concat --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-stream --with-stream_ssl_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-pcre=pcre-8.40 --with-ld-opt=-ljemalloc #开始下载Nginx,这里用的是1.15.1,你也可以下载其它的版本 wget http://nginx.org/download/nginx-1.15.1.tar.gz tar -xzvf nginx-1.15.1.tar.gz cd nginx-1.15.1 #下面的命令只是在上面的Nginx -v得到的配置详情后加上了--with-http_realip_module,目的是为了保持原来的配置不变同时又增加新的模块 ./configure --user=www --group=www --prefix=/www/server/nginx --with-openssl=/www/server/nginx/src/openssl --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/nginx/src/ngx_cache_purge --add-module=/www/server/nginx/src/nginx-sticky-module --add-module=/www/server/nginx/src/nginx-http-concat --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-stream --with-stream_ssl_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-pcre=pcre-8.40 --with-ld-opt=-ljemalloc --with-http_realip_module #只编译不安装 make #先停用Nginx,然后替换新的Nginx并查看模块是否已经加载。命令如下: mv /www/server/nginx/sbin/nginx /www/server/nginx/sbin/nginx-wzfou.backup cp objs/nginx /www/server/nginx/sbin/nginx nginx -V #重启Nginx
2. Nginx settings set_real_ip_from
After compiling ngx_http_realip_module, now we only need to add the set_real_ip_from code to the Nginx configuration file. The example is as follows:
set_real_ip_from 222.222.222.222; #这里是需要填写具体的CDN服务器IP地址,可添加多个 set_real_ip_from 222.222.111.111; real_ip_header X-Forwarded-For; real_ip_recursive on;
If you are using CloudFlare free CDN, please add the following code to your Nginx configuration file.
location / { set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 199.27.128.0/21; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; # use any of the following two real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For; } #不要忘记重启nginx service nginx restart
Generally speaking, the IP address of CloudFlare will not change. You can find it here: https://www.cloudflare.com/ips/, but just in case, wzfou.com recommends setting an IP address that automatically updates CloudFlare. The scheduled task automatically adds the latest IP to the Nginx configuration file. code show as below:
#在nginx配置目录创建cloudflare_ip.conf文件 touch /usr/local/nginx/conf/cloudflare_ip.conf #修改原有的vhost配置,将原来第五步配置的信息改为 include cloudflare_ip.conf; #创建自更新脚本update_cloudflare_ip.sh(假定该文件放在 /root 目录下),内容如下: #!/bin/bash echo "#Cloudflare" > /usr/local/nginx/conf/cloudflare_ip.conf; for i in `curl https://www.cloudflare.com/ips-v4`; do echo "set_real_ip_from $i;" >> /usr/local/nginx/conf/cloudflare_ip.conf; done for i in `curl https://www.cloudflare.com/ips-v6`; do echo "set_real_ip_from $i;" >> /usr/local/nginx/conf/cloudflare_ip.conf; done echo "" >> /usr/local/nginx/conf/cloudflare_ip.conf; echo "# use any of the following two" >> /usr/local/nginx/conf/cloudflare_ip.conf; echo "real_ip_header CF-Connecting-IP;" >> /usr/local/nginx/conf/cloudflare_ip.conf; echo "#real_ip_header X-Forwarded-For;" >> /usr/local/nginx/conf/cloudflare_ip.conf; #配置crontab 每周一的上午5点更新 0 5 * * 1 /bin/bash /root/update_cloudflare_ip.sh
3. Apache configuration mod_remoteip module
3.1 apache 2.4
The mod_remoteip module that comes with apache 2.4 does not need to be installed. Follow the steps below:
#启用模块 vim /usr/local/apache/conf/httpd.conf Include conf/extra/httpd-remoteip.conf #添加如下内容 vim /usr/local/apache/conf/extra/httpd-remoteip.conf LoadModule remoteip_module modules/mod_remoteip.so RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 127.0.0.1/24 #CloudFlare IP Ranges RemoteIPInternalProxy 103.21.244.0/22 RemoteIPInternalProxy 103.22.200.0/22 RemoteIPInternalProxy 103.31.4.0/22 RemoteIPInternalProxy 104.16.0.0/12 RemoteIPInternalProxy 108.162.192.0/18 RemoteIPInternalProxy 131.0.72.0/22 RemoteIPInternalProxy 141.101.64.0/18 RemoteIPInternalProxy 162.158.0.0/15 RemoteIPInternalProxy 172.64.0.0/13 RemoteIPInternalProxy 173.245.48.0/20 RemoteIPInternalProxy 188.114.96.0/20 RemoteIPInternalProxy 190.93.240.0/20 RemoteIPInternalProxy 197.234.240.0/22 RemoteIPInternalProxy 198.41.128.0/17 #你的CDN的IP,可以重复添加 #修改日志格式,在日志格式中加上%a,然后重启apache即可 LogFormat "%h %a %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "%h %a %l %u %t "%r" %>s %b" common LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %I %O" combined
3.2 apache 2.2
Apache 2.2 needs to install the mod_remoteip module. The method is as follows:
wget https://github.com/ttkzw/mod_remoteip-httpd22/raw/master/mod_remoteip.c /usr/local/apache/bin/apxs -i -c -n mod_remoteip.so mod_remoteip.c #启用模块 vim /usr/local/apache/conf/httpd.conf Include conf/extra/httpd-remoteip.conf #添加如下内容,然后重启apache即可 vim /usr/local/apache/conf/extra/httpd-remoteip.conf LoadModule remoteip_module modules/mod_remoteip.so RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 127.0.0.1 #你的CDN的IP,可以重复添加
4. The website only allows IP access from Cloudflare CDN
Above we obtained the user's real IP address by installing the ngx_http_realip_module and mod_remoteip modules, but sometimes we need to use Cloudflare's security protection function to prevent CC or DDoS attacks, that is, only the IP of Cloudflare CDN is allowed to access our access.
The code examples of Nginx directly denying and allowing IP access are as follows:
location / { deny 192.168.1.1; allow 192.168.1.0/24; allow 10.1.1.0/16; allow 2001:0db8::/32; #Railgun IP deny all; }
If we only allow Cloudflare CDN's IP to access the website, we can directly add Cloudflare CDN's IP to the allowed range in the nginx configuration.
#直接加入 # https://www.cloudflare.com/ips # IPv4 allow 103.21.244.0/22; allow 103.22.200.0/22; allow 103.31.4.0/22; allow 104.16.0.0/12; allow 108.162.192.0/18; allow 131.0.72.0/22; allow 141.101.64.0/18; allow 162.158.0.0/15; allow 172.64.0.0/13; allow 173.245.48.0/20; allow 188.114.96.0/20; allow 190.93.240.0/20; allow 197.234.240.0/22; allow 198.41.128.0/17; # IPv6 allow 2400:cb00::/32; allow 2405:8100::/32; allow 2405:b500::/32; allow 2606:4700::/32; allow 2803:f800::/32; allow 2c0f:f248::/32; allow 2a06:98c0::/29;
Automatically update Cloudflare CDN IP. It is simple and convenient to manually add the Cloudflare CDN IP to the Nginx configuration. However, once the Cloudflare CDN IP changes, you have to handle it manually. We can create a script to regularly update the Cloudflare CDN IP and automatically add it to the Nginx configuration. , the code is as follows:
touch /usr/local/nginx/conf/allow_ip.conf #修改网站nginx配置,加入以下代码: include /usr/local/nginx/conf/allow_ip.conf; vim /data/script/allow_cf_ip.sh #!/bin/bash echo "#Cloudflare" > /usr/local/nginx/conf/allow_ip.conf; for i in `curl https://www.cloudflare.com/ips-v4`; do echo "allow $i;" >> /usr/local/nginx/conf/allow_ip.conf; done for i in `curl https://www.cloudflare.com/ips-v6`; do echo "allow $i;" >> /usr/local/nginx/conf/allow_ip.conf; done #添加定时任务 0 5 * * 1 /bin/bash /data/script/allow_cf_ip.sh
5. Summary
After using CDN acceleration, the user IP obtained by our website becomes the IP of the CDN. If we want to obtain the user's real IP, we must use the mode functions of Nginx and Apache. Of course, if you are using PHP, such as WordPress, just add the following code directly to your WordPress configuration file.
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $list = explode(‘,’,$_SERVER['HTTP_X_FORWARDED_FOR']); $_SERVER['REMOTE_ADDR'] = $list[0]; }
A special reminder here is that if you enable Cloudflare Railgun dynamic acceleration (the Cloudflare Partner access management of Mining Station provides this free service), remember to add the Railgun server IP to the configuration, because after enabling Railgun, the website will obtain The IP addresses obtained are all from the Railgun server.