（1）限制 x_forwarded_for的ip

nginx通过防护墙、F5设备或者CDN过来之后，remote_addr 的地址是防护墙、F5的地址， 客户端真是的IP地址是在 x_forwarded_for中的， 这样这样 nginx 默认的 deny 和 allow 就不能用了。

比如我们从Kibana里看到：

# 定义一个map 拒绝的IP地址列表
map $http_x_forwarded_for $allowed {
    default allow;
    ~\s*148.70.0.78$ deny;
}

# 防火墙有做端口的访问限制
server {
	listen	     80;
	server_name  logcar.qq.work;
	charset utf-8;

  
	location / {
		    if ( $allowed = "deny" ) { return 403; }
            proxy_pass http://127.0.0.1:5601;
            proxy_set_header Host $host;
  	}

      access_log   /home/data/logs/logcar.qq.com/logcar.qq.com.access.log access;
      access_log   /home/data/logs/logcar.qq.com/logcar.qq.com.access.logstash_json logstash_json;
}

标准版的Nginx配置文件

server
{
    listen       80;
    server_name  uac-stg.myxl.cn;
    access_log /home/data/logs/uac-stg.myxl.cn/uac-stg.myxl.cn.access.logstash_json logstash_json;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_set_header X-Forwarded-Port  $server_port;
        client_body_buffer_size 256k;
        client_max_body_size    200m;
        proxy_connect_timeout 60;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_buffer_size 256k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
        proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
        proxy_pass http://127.0.0.1:20834;
    }
}