前面有 AWS 应用程序负载均衡器，后面有 https 侦听器和 nginx 反向代理服务器答案

【问题标题】：AWS Application load balancer in front with https listener and nginx reverse proxy server behind it前面有 AWS 应用程序负载均衡器，后面有 https 侦听器和 nginx 反向代理服务器
【发布时间】：2022-01-06 04:14:50
【问题描述】：

我正在 AWS 应用程序负载均衡器后面设置 Nginx 反向代理服务器。之所以需要 Nginx，是因为我们需要一个 AWS ALB，而 Nginx 将为多个 Vhost 进行路由。

我可以访问该网站，但收到错误日志

[info] 7385#7385：342 客户端在读取客户端请求行时发送了无效请求，客户端：10.16.224.212，服务器：~(.).xyz.com，请求：“PROXY TCP4 10.16.224.212 10.16.224.212 39064 80"

nginx 虚拟主机配置

server {
      listen *:80 default_server ;
      server_name           ~(.*).example.com;
      if ($blocked_user_agents = 'global') {
      return 444;
    }
    
    underscores_in_headers on;
    
    
      index  index.html index.htm index.php;
    
      access_log            /var/log/nginx/www-tier.access.log main_ext;
      error_log             /var/log/nginx/www-tier.error.log info;
    
      location /market/admin {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        return 444;
      }
    
      location /admin {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        return 444;
      }
    
      location ~*\/data\/(photos_list|results).asp {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        if ($arg_manager_id = "") {
      return 301 https://example.com/oil/data/;
    }
      return 301 https://example/oil/data/$arg_manager_id;
    
      }
    
      location /jobs/search_job_results.asp {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        return 301 https://example/jobs/search_jobs.asp$is_args$args;
      }
    
      location /shared_code/sitecheck.asp {
        proxy_pass http://www-servers;
        proxy_set_header Host health-check.example.com;
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
      }
    
      location ~*\/(h|cms-rest|\.well-known)\/.* {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        proxy_pass http://rz-cms-servers;
      }
    
      location ~*^\/oil\/jobs(.*) {
        if ($blocked_user_agents = 'jobs') {
      return 444;
    }
    
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        proxy_http_version 1.1;
        proxy_pass http://www-servers;
        proxy_set_header Host $host;
        proxy_set_header Connection "";
        proxy_set_header X-Real-IP $proxy_protocol_addr;
        proxy_set_header remote_addr $proxy_protocol_addr;
        proxy_set_header X-Forwarded-For $proxy_protocol_addr;
      }
    
      location ~*^\/oil\/data(.*) {
        return 301 https://example.com;
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
      }
    
      location ~*\/data\/offshore_drilling_rigs\/(.*) {
        rewrite ^([^.]*[^/])$ $1/ permanent;
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        rewrite \/data\/offshore_drilling_rigs\/(.*) /oil/data/offshore-rig-search/rig-profile/$1 permanent;
      }
    
      location / {
        modsecurity on;
        modsecurity_rules_file /etc/nginx/modsec/main.conf;
        if ($scanner_cookie != 0) {
      add_header Set-Cookie ZEUS_SCANNER=$scanner_cookie;
    }
    
        proxy_pass            http://www-servers;
        proxy_read_timeout    90;
        proxy_connect_timeout 90;
        proxy_http_version    1.1;
        proxy_set_header      Host $host;
        proxy_set_header      Connection "";
        proxy_set_header      X-Real-IP $proxy_protocol_addr;
        proxy_set_header      remote_addr $proxy_protocol_addr;
        proxy_set_header      X-Forwarded-For $proxy_protocol_addr;
        proxy_hide_header      Server;
        proxy_hide_header      X-Powered-By;
        proxy_hide_header      X-AspNet-Version;
      }
    
      location ~*\/data\/(advanced_search|reports|photos).asp {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        return 301 https://example.com/oil/data/offshore-search/;
      }
    
      location ~*^\/jobs$|^\/jobs\/$|^\/jobs\/default.asp$ {
        if ($blocked_user_agents = 'jobs') {
      return 444;
    }
    
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        return 301 https://example.com/oil/jobs/;
      }
    
      location /data/detail.asp {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        if ($arg_rig_id = "") {
      return 301 https://example.com/oil/data/offshoresearch/;
    }
      return 301 https://example.com/oil/data/offshore-search//$arg_rig_id;
    
      }
    
      location ~*\/data\/utilization_.* {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        return 301 https://example.com/oil/data/utilization/;
      }
    
      location /jobs/search_resume_results.asp {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        return 301 https://example.com/jobs/search_resume.asp$is_args$args;
      }
    
      location ~*^/(data)$|~*^/(data/) {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        return 301 https://example.com/oil/data/;
      }
    
      location /jobs/jobs_list_by_skill_cat.asp {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        return 301 https://example.com/oil/jobs/categories/;
      }
    
      location ~*^/(images|market/appimages|search/featured/images|training/images|training/heavyoil/flash|training/images)/(.*) {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        proxy_buffering off;
        proxy_hide_header x-amz-id-2;
        proxy_hide_header x-amz-request-id;
        proxy_hide_header Set-Cookie;
        proxy_http_version 1.1;
        proxy_ignore_headers Set-Cookie;
        proxy_intercept_errors on;
        proxy_pass http://s3-servers;
        proxy_set_header Host dev-images.s3.amazonaws.com;
        proxy_set_header Authorization "";
        proxy_set_header Connection "";
        proxy_set_header X-Real-IP $proxy_protocol_addr;
        proxy_set_header remote_addr $proxy_protocol_addr;
        proxy_set_header X-Forwarded-For $proxy_protocol_addr;
      }
    
      location ~*\/investigation(|\/)$ {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        return 301 https://example.com/investigation.asp;
      }
    
      
    
      location ~*^/jobs/resumes(.*) {
        root      /usr/share/nginx/html;
        index     index.html index.htm index.php;
        proxy_http_version 1.1;
        proxy_pass http://www-servers;
        proxy_set_header Host $host;
        proxy_set_header Connection "";
        proxy_set_header X-Real-IP $proxy_protocol_addr;
        proxy_set_header remote_addr $proxy_protocol_addr;
        proxy_set_header X-Forwarded-For $proxy_protocol_addr;
        if ($has_internal_access != 'allowed') {
      return 403;
    }
    
      }
    }

【问题讨论】：

标签： nginx reverse-proxy nginx-reverse-proxy amazon-elb aws-application-load-balancer

【解决方案1】：

这个：

PROXY TCP4 10.16.224.212 10.16.224.212 39064 80

是PROXY protocol 流量：至关重要的是，这不是 HTTP 流量。

PROXY 协议是来自 HAProxy 的 Willy Tarreau 的一个聪明的协议。负载均衡器（最初是 HAProxy）通常使用它来将客户端的真实源 IP 地址传递给链中的下一个设备，例如到另一个负载平衡器或应用程序服务器。

您发布的日志消息是从 Nginx 服务器发布的吗？ “……客户端发送了无效请求……”听起来服务器期望接收 HTTP 流量，但接收到的是 PROXY 协议流量。

您有两种解决方案：

将您的 Nginx 服务器配置为 accept PROXY protocol traffic。这是更好的解决方案，因为它将保留客户端的 IP 地址：这非常有用，尤其是对于日志记录。
在您的 AWS 负载均衡器上禁用 PROXY 协议，即使用标准 TCP。我找不到一个很好的链接来说明如何做到这一点，但它肯定是可能的。

【讨论】：