无法从 NAT + 反向代理获取入站连接的公共 IP

2024-6-1 • tag-icon

我的网络流程如下：

Public Client
     ∟--> CDN Reverse Proxy (Cloudflare) - ONLY used for HTTP/S traffic, all else goes direct
          ∟--> Cloud Server w/ firewalld forwarding 
               ∟--> Private Server  
                         ∟--> Docker Reverse Proxy (Traefik) 
                                   ∟--> Docker Containers
                                   ∟--> Docker Reverse Proxy (NGINX) 
                                            ∟--> Docker Containers

我正在尝试让公共客户端的 IP 显示在各种 docker 容器的日志文件中，但它们只记录适用 docker 反向代理的 docker 网络地址。

更复杂的是，我正在转发 TCP 和 UDP 流量的组合，但并非所有流量都是 HTTP/S。我主要希望源 IP 通过，这样我就可以利用速率限制和阻止。

这个配置是不是太复杂了？是的。它是否以某种方式运行得非常好？是的！除了无法记录真实来源的 IP 之外...

云服务器的防火墙配置命令如下：

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
# Enable masquerade on the VPN client address
sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address={Private Server Private IP]/32 masquerade" --permanent
# These rules receive traffic coming into the server's main ipv4 address - web 
sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address={Cloud Server Public IP]/32 forward-port port=80 protocol=tcp to-port=80 to-addr={Private Server Private IP]" --permanent
sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address={Cloud Server Public IP]/32 forward-port port=443 protocol=tcp to-port=443 to-addr={Private Server Private IP]" --permanent
sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address={Cloud Server Public IP]/32 forward-port port=25 protocol=tcp to-port=25 to-addr={Private Server Private IP]" --permanent
sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address={Cloud Server Public IP]/32 forward-port port=143 protocol=tcp to-port=143 to-addr={Private Server Private IP]" --permanent
sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address={Cloud Server Public IP]/32 forward-port port=465 protocol=tcp to-port=465 to-addr={Private Server Private IP]" --permanent
sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address={Cloud Server Public IP]/32 forward-port port=587 protocol=tcp to-port=587 to-addr={Private Server Private IP]" --permanent
sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address={Cloud Server Public IP]/32 forward-port port=993 protocol=tcp to-port=993 to-addr={Private Server Private IP]" --permanent

并给出 Traefik 直接传递给 NGINX 反向代理的其中一个端口的摘录，这些是 docker-compose 行：

        - "traefik.tcp.routers.mailu_smtp_ssl.rule=HostSNI(`*`)"
        - "traefik.tcp.routers.mailu_smtp_ssl.entrypoints=smtp-ssl"
        - "traefik.tcp.routers.mailu_smtp_ssl.tls.passthrough=true"
        - "traefik.tcp.routers.mailu_smtp_ssl.service=mailu_smtp_ssl"
        - "traefik.tcp.services.mailu_smtp_ssl.loadbalancer.server.port=465"

我猜想起点是将 SNAT 替换为当前的伪装配置。我还猜想一些 x-layers-deep X-FORWARDED-FOR 替换的设置是必要的（尽管这对非 http/s 数据包没有帮助）...但我不知道如何将它们组合在一起。

相关内容