在GCE的Kubernetes LoadBalancer服务背后运行的PHP应用程序中获取访问者真实IP [英] Get visitors real IP in PHP app running behind Kubernetes LoadBalancer service in GCE

问题描述

我在向访客获取我的PHP应用程序中的真实IP时遇到问题.我在Google容器引擎(主服务器:1.4.8，节点:1.4.7)中运行了Kubernetes.

I am having issues getting the visitors real IP in my PHP app. I have Kubernetes running in Google Container Engine (master: 1.4.8, node: 1.4.7).

服务定义:

apiVersion: v1
kind: Service
metadata:
    name: app-service
spec:
    type: LoadBalancer # spawning google loadbalancer
    selector:
        name: app # running simple php/nginx container
    ports:
        - port: 80
          targetPort: 80

怎么可能是X-Forwarded-For标头等没有传递到我的php应用程序?我只是找回源IP(在php REMOTE_ADDR中)，它是10.0.1.1.在Google Cloud中，我可以看到该服务正在使用第4层负载均衡器.可能是真正的源IP丢失而X-Forwarded-For标头从未设置的问题吗?

How can it be that the X-Forwarded-For headers etc. don't get passed through to my php app? I am only getting back the source ip (in php REMOTE_ADDR), which is 10.0.1.1. In Google Cloud I can see the service is using a layer 4 load balancer. Could this be the issue that the real source ip is lost and the X-Forwarded-For header never gets set?

如果有人可以向我解释发生了什么，那将非常有帮助！

If someone could explain me what is going on, that would be super helpful!

对于它的价值，我在我的应用程序容器中使用以下nginx配置:

For what its worth, I am using the following nginx configuration in my app container:

location ~ \.php$ {
    fastcgi_pass php-upstream;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    fastcgi_param  SCRIPT_FILENAME  $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
}

编辑 我已经将整个应用程序放在CloudFlare后面，所以现在它指向的是CloudFlare http代理-> GCE Load Balancer. X-Forwarded-For标头和所有标头都以某种方式存在！对我来说，问题似乎出在GCE负载平衡器上，无法以某种方式设置这些标头?

EDIT I have put my whole application behind CloudFlare, so it is now pointing from CloudFlare http proxy -> GCE Load Balancer. And somehow the X-Forwarded-For headers and all are present! For me it seems like the issue is with the GCE Load Balancer, it is somehow unable to set those headers?

推荐答案

一个新功能是

由于此功能的实现，在目标容器中看到的会话的源IP将不是客户端的原始源IP.这是Kubernetes v1.5以来的默认行为.但是，从v1.5开始，已添加了可选的beta功能，该功能将为GCE/GKE环境保留客户端源IP.在后续版本中，其他云提供商将逐步使用此功能.

Due to the implementation of this feature, the source IP for sessions as seen in the target container will not be the original source IP of the client. This is the default behavior as of Kubernetes v1.5. However, starting in v1.5, an optional beta feature has been added that will preserve the client Source IP for GCE/GKE environments. This feature will be phased in for other cloud providers in subsequent releases.

更多详细信息是在此处可用，并归结为添加注释用于loadbalancer类型的服务:

More details are available here and boil down to adding an annotation for services of type loadbalancer:

$ kubectl annotate service loadbalancer service.beta.kubernetes.io/external-traffic=OnlyLocal

这将打开节点上的运行状况检查端口，以验证节点上是否有服务端点.

This will open a healthcheck port on the node, to verify if service endpoints are available on the node.

有关此问题如何推广到其他群集的更多详细信息，似乎可以在

More details on how this issue is rolled out to other clusters seems to be available on kubernetes/features issue tracking this feature.

注意:问题似乎类似于 StackOverflow/Kubernetes-not-preserving-source-ip

Note: Question seems similar to StackOverflow/Kubernetes-not-preserving-source-ip

这篇关于在GCE的Kubernetes LoadBalancer服务背后运行的PHP应用程序中获取访问者真实IP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！