解决经由frp穿透后服务端无法获取客户端ip的办法
博主服务运行环境为k3s,流量经由阿里云的服务器的80,443端口通过frp穿透到家庭服务器k3s环境的30871和30166端口。由于搭建了safeline防火墙,当防火墙拦截到违规请求的时候会记录客户端的ip,但是显示的全部都是服务器内网ip。解决办法如下:
serverAddr = "<your server ip>"
serverPort = 7000
auth.token = "<your token>"
[[proxies]]
name = "ssh"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = 8000
[[proxies]]
name = "80"
type = "tcp"
localIP = "127.0.0.1"
localPort = 30871
remotePort = 80
transport.proxyProtocolVersion = "v2"
[[proxies]]
name = "443"
type = "tcp"
localIP = "127.0.0.1"
localPort = 30166
remotePort = 443
transport.proxyProtocolVersion = "v2"
[[proxies]]
name = "6443"
type = "tcp"
localIP = "127.0.0.1"
localPort = 6443
remotePort = 6443在相关 proxies 的配置下方增加 transport.proxyProtocolVersion = "v2"
另外,对应的Nginx需要增加如下配置,以nginx-ingress为例:
allow-snippet-annotations: 'false'
compute-full-forwarded-for: 'true'
forwarded-for-header: X-Forwarded-For
plugins: safeline
use-forwarded-headers: 'true'
use-proxy-protocol: 'true'该配置是 ingress-nginx-controller 的 configmap
至此,waf记录的ip为客户端的真实公网ip