以下實驗在於 X-Forwarded-For (XFF) 測試,驗證透過開源的CDN 軟體 Varnish
加上 FortiGate 的 Virtual server load balance 機制.取得真實 Client IP .
Varnish HTTP Cache
實驗架構
連線流程
Client [192.168.100.0/24] (設定 hosts 192.168.100.20 wps.cdn.tw )
--> CDN IP (192.168.100.20) --> 原站 IP [192.168.100.10] (FTG SLB VIP)
--> FTG Firewall (192.168.100.125/192.168.1.1)
--> SLB Member (RealServer IP 192.168.1.11 or 12)
--> Nginx log 取得真實 Client IP
重要設定
[root@CDN ~]# cat /etc/varnish/default.vcl
vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "8080";
}
acl purge {
"localhost";
"127.0.0.1";
}
sub vcl_recv {
if (req.method == "PURGE") {
if (!client.ip ~ purge) {
return(synth(405, "DENY"));
}
return (purge);
}
if (req.url ~ "\.(gif|jpg|jpeg|swf|ttf|css|js|flv|mp3|mp4|pdf|ico|png)(\?.*|)$") {
unset req.http.cookie;
}
}
sub vcl_pipe {
return (pipe);
}
sub vcl_pass {
return (fetch);
}
sub vcl_backend_response {
.............
[root@CDN ~]# cat /etc/nginx/nginx.conf
.....
server {
listen 80;
server_name wps.cdn.tw;
port_in_redirect off;
add_header Strict-Transport-Security "max-age=31536000;";
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass http://127.0.0.1:6081;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header HTTPS "on";
}
}
server {
listen 8080;
server_name wps.cdn.tw;
location / {
proxy_pass http://192.168.100.10;
proxy_set_header Host $http_host;
.....
[root@CDN ~]# dnf info varnish.x86_64
Last metadata expiration check: 1:15:24 ago on Sat 02 Aug 2025 01:18:24 PM CST.
Installed Packages
Name : varnish
Version : 6.6.2
Release : 6.el9_6.1
Architecture : x86_64
Size : 3.0 M
Source : varnish-6.6.2-6.el9_6.1.src.rpm
Repository : @System
From repo : ol9_appstream
Summary : High-performance HTTP accelerator
URL : https://www.varnish-cache.org/
License : BSD
Description : This is Varnish Cache, a high-performance HTTP accelerator.
:
: Varnish Cache stores web pages in memory so web servers don’t have to
: create the same web page over and over again. Varnish Cache serves
: pages much faster than any application server; giving the website a
: significant speed up.
:
: Documentation wiki and additional information about Varnish Cache is
: available on: https://www.varnish-cache.org/
RealServer 上 Nginx log 設定
log_format main '$http_x_forwarded_for |
$http_x_real_ip |
$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
Demo
沒有留言:
張貼留言