多应用+插件架构,代码干净,二开方便,首家独创一键云编译技术,文档视频完善,免费商用码云13.8K 广告
[TOC] 有时候我们需要在容器中获取客户端真实的IP等信息,而经过 IngressNginxController 转发后,这些信息不一定拿得到,所以我们需要对 IngressNginxController 进行配置。 ## 负载均衡使用四层代理 ## haproxy ```shell $ kubectl -n ingress-nginx edit configmap ingress-nginx-controller # 在 data 字段添加下面几行 data: # 源地址附加到 X-Forwarded-For 标头,而不是替换它 compute-full-forwarded-for: "true" # 标头允许下划线,默认是关闭 enable-underscores-in-headers: "true" # 设置用于标识客户端的原始 IP 地址的标头字段。 默认值:X-Forwarded-For forwarded-for-header: X-Forwarded-For # 当期望将 X-Forwarded-* 的标头信息传递给后端服务时,需要设置为true use-forwarded-headers: "true" # 启用或禁用 PROXY 协议以接收通过代理服务器和负载均衡器传递的客户端连接(真实 IP 地址)信息 use-proxy-protocol: "true" # 重启 ingress-nginx-controller 容器 $ kubectl -n ingress-nginx delete pod -l app.kubernetes.io/component=controller pod "ingress-nginx-controller-6c979c5b47-hrb4k" deleted ``` > 请注意:如果在 `ingress-nginx-controller` 高可用上的负载均衡器没有启动 `proxy protocol` 的话,访问服务都会异常 harbor的配置如下: ```shell listen ingress_nginx_http bind 192.168.31.188:80 mode tcp balance roundrobin server master01 192.168.31.103:80 weight 1 check inter 1000 rise 3 fall 5 send-proxy server master02 192.168.31.79:80 weight 1 check inter 1000 rise 3 fall 5 send-proxy listen ingress_nginx_https bind 192.168.31.188:443 mode tcp balance roundrobin server master01 192.168.31.103:443 weight 1 check inter 1000 rise 3 fall 5 send-proxy server master02 192.168.31.79:443 weight 1 check inter 1000 rise 3 fall 5 send-proxy ``` > server参数必须包含有 `send-proxy` 选项 下面的日志是通过 `ingress` 设置的域名访问,客户端收集的日志 ```shell {"time": "2022-09-15T16:56:15+08:00", "namespace": "default", "service_name": "hearder", "service_port": 80, "domain": " www.ecloud.com", "path": "/hearder", "request_id": "8ee4be46fb1799f75553fa9c3dee716a", "remote_user": "admin", "request_query": "-", "bytes_sent": 919, "status": 200, "request_time": 0.003, "request_proto": "HTTP/1.1", "request_length": 501, "duration": 0.003, "method": "GET", "http_referrer": "-", "remote_addr":"192.168.31.245", "remote_port": "54328", "proxy_protocol_addr": "192.168.31.245", "proxy_add_x_forwarded_for": "192.168.31.245", "x_forwarded_for": "-", "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" } ``` > - `remote_addr` 是真实客户端IP地址 > - haproxy 的 x_forwarded_for 参数使用 remote_addr 直接覆盖,则只有真实客户端IP地址,没有具体的调用IP链 > - 该日志是自定义日志格式。如果需要的话,请参考 [自定义ingress日志](./ingress_log.md)