来源:https://stackoverflow.com/questions/40873393/nginx-real-client-ip-to-tcp-stream-backend
- htps 的监听端和 ssh 的监听端都要打开
proxy_protocol
选项 - 在 http/https server 透传 realip ,可以加一行
proxy_protocol
。然后增加一行proxy_set_header X-Real-IP $proxy_protocol_addr;
server {
listen 2443 ssl proxy_protocol;
listen [::]:2443 ssl proxy_protocol;
}
参考配置如下
...
stream {
upstream ssh {
server 127.0.0.1:2222;
}
upstream https {
server 127.0.0.1:444;
}
map $ssl_preread_protocol $upstream {
default ssh;
"TLSv1.2" https;
"TLSv1.3" https;
"TLSv1.1" https;
"TLSv1.0" https;
}
server {
listen 443;
proxy_pass $upstream;
proxy_protocol on;
ssl_preread on;
}
server {
listen 2222 proxy_protocol;
proxy_pass 192.168.2.76:22;
}
}
http {
log_format main '$proxy_protocol_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
...
server {
listen 444 ssl proxy_protocol;
...
}
}