#获取第一个ip
    map $http_x_forwarded_for $forwardedfirstip {
        default $remote_addr;
        "~\[?(?<firstAddr>([0-9]{1,3}\.){3}[0-9]{1,3}|[0-9a-fA-F]{0,4}:[0-9a-fA-F:]{0,30}:[0-9a-fA-F\.]{1,15})\]?,?.*$" $firstAddr;
    }
    #获取最后一个ip
    map $http_x_forwarded_for $forwardedlastip {
        default $remote_addr;
        "~,?\s?\[?(?<lastAddr>([0-9]{1,3}\.){3}[0-9]{1,3}|[0-9a-fA-F]{0,4}:[0-9a-fA-F:]{0,30}:[0-9a-fA-F\.]{1,15})\]?$" $lastAddr;
    }
    #是否来自前端负载均衡
    geo $realip_remote_addr $is_f5_ip {
        default 0;
        192.168.250.158/31 1; #f5 proxy
    }
    #标记ip来源,是否是来自可信赖的proxy;格式:  59.51.81.0/24 1;
    geo $realip_remote_addr $clientipfrom {
        default 0;
        192.168.250.158/31 3; #f5 proxy;158-159
        192.168.250.0/25 2; #inner proxy;1-126
        192.168.0.0/24 2; #inner proxy
        include geo.cdn_ip.conf; #1
    }
    #标记ip是否充许访问,0为不充许
    geo $realip_remote_addr $allowvisit {
        default 0;
        include geo.allow.conf; #1
        include geo.cdn_ip.conf; #1
    }
    #proxy下发用的端口
    map $http_c1g_clientport $f5remoteport {
        default $realip_remote_port;
        '' $remote_port;
        "~^[0-9]{4,5}$" $http_c1g_clientport;
    }
    #f5转过来的http_c1g_clientip如有多个","分割,取最后一个
    map $http_c1g_clientip $f5lastip {
        default $remote_addr;
        "~,?\s?\[?(?<f5lastAddr>([0-9]{1,3}\.){3}[0-9]{1,3}|[0-9a-fA-F]{0,4}:[0-9a-fA-F:]{0,30}:[0-9a-fA-F\.]{1,15})\]?(:(?<f5lastport>[0-9]{0,5}))?$" $f5lastAddr;
    }
    #如果没有开real_ip,手动分离出http_x_real_ip中的ip和端口,开着可以用remote_addr
    map $http_x_real_ip $httpxrealip {
        default $remote_addr;
        #default $http_x_real_ip;
        #"~\[?(?<xrealipAddr>([0-9]{1,3}\.){3}[0-9]{1,3}|[0-9a-fA-F]{0,4}:[0-9a-fA-F:]{0,30}:[0-9a-fA-F\.]{1,15})\]?(:(?<xrealport>[0-9]{0,5}))?,?.*$" $xrealipAddr;
    }
    #3[0-4]? 当前是proxy,来自认证过的负载均衡使用处理过的realip的remote_addr做为用户ip
    #2[0-2]? 当前是源机,内网proxy过来,使用http_x_real_ip
    #2[3-4]  当前是源机,来自认证过的负载均衡后又经内网proxy过来,使用自有校验的http_x_client_ip取代http_x_real_ip
    map "$clientipfrom$http_x_client_selector" $clientipfrominner {
        default '';
        "~^3[0-4]?$" $remote_addr;
        "~^2[0-2]?$" $httpxrealip;
        "~^2[3-4]$" $http_x_client_ip;
    }
    #负载均衡的直联ip是否为cdn
    geo $clientipfrominner $clientipfromf5iscdn {
        default 0;
        include geo.cdn_ip.conf; #1
    }
    #负载均衡的直联ip如果是cdn侧标记为4
    map $clientipfromf5iscdn $clientipselector {
        0 $clientipfrom;
        1 4;
    }
    #是否有x_forwarded_for
    map $http_x_forwarded_for $ishave_forwarded_for {
        default 0;
        "~.*" 1;
    }
    #是否有f5lastip
    map $clientipfrominner $ishave_f5lastip {
        default 0;
        "~.*" 1;
    }
    #重写日志中的forwarded_for,当前关闭该功能
    map "$clientipfrom$ishave_forwarded_for$ishave_f5lastip" $log_forwarded_for {
        default $http_x_forwarded_for;
        #311 "$http_x_forwarded_for, $clientipfrominner"; #两个都有则连接字符
        #301 "$clientipfrominner"; #只有f5转发的ip
    }
    #来自负载均衡和内部proxy的http_x_forwarded_for直接下发,不增加当前remote_ip
    map $clientipfrom $proxypass_forwarded_for {
        default $proxy_add_x_forwarded_for;
        2 $log_forwarded_for; #inner proxy
        3 $log_forwarded_for; #f5 proxy
    }
    #4:前端负载均衡过来,通过cdn,取forwardedlastip(负载均衡的http_x_forwarded_for最后没加remote_ip);
    #3:前端负载均衡过来,没有通过cdn,取$http_c1g_clientip(最后应为直联remote_ip);
    #2:当前配置为内网的前端proxy则如cdn取http_x_forwarded_for最后一位,配置为源机则使用前端proxy转发的http_x_real_ip;
    #1:来自cdn那么用http_x_forwarded_for右数第一个作为用户ip;左数可能是伪造的
    #0:指定ip访问,用remote_addr;
    #最外层proxy用X-Real-IP 向下传递 $clientRealIp
    map $clientipselector  $clientRealIpTmp {
    4 $forwardedlastip;
    3 $clientipfrominner;
    2 $clientipfrominner;
    1 $forwardedlastip;
    0 $remote_addr;
    }
    map $clientipselector  $proxyremoteport {
    4 $f5remoteport;
    3 $f5remoteport;
    2 $remote_port;
    1 $remote_port;
    0 $remote_port;
    }
    #web前端ip防护,是否白名单中,cdn用右数第一个作为用户ip,只充许白名单中的ip访问
    geo $clientRealIpTmp $white_list {
        default 0;
        proxy    192.168.0.0/24; #inner proxy 
        include geo.cdn_proxy.conf;
        include geo.allow.conf;
    }
    #是否在黑名单中
    geo $clientRealIpTmp $abuse {
        default 0;
        proxy_recursive;
        proxy    192.168.0.0/24; #inner proxy 
        include geo.cdn_proxy.conf;
        include geo.abuse.conf;
    }
    #是否将F5过来又在白名单中的重置为不充许,当前关闭该功能
    map "$clientipselector$white_list"  $white_ip {
        default $white_list;
        #"41" 0;
        #"31" 0;
    }
    #将F5过来又在白名单中的IP重新改写,当前关闭该功能
    map "$clientipselector$white_list"  $clientRealIp {
        default $clientRealIpTmp;
        #"41" "";
        #"31" "";
    }
    #只有是f5过来的才另设置下发校验ip
    map $is_f5_ip $proxycheckip {
        default '';
        1 $f5lastip;
    }
    #将ipv6用[]包含,并加上端口下发至下层realip模块
    map $clientRealIpTmp $proxyrealip {
        default "";
        "~\[?(?<ipv4Addr>([0-9]{1,3}\.){3}[0-9]{1,3})\]?" "$ipv4Addr:$proxyremoteport";
        "~\[?(?<ipv6Addr>[0-9a-fA-F]{0,4}:[0-9a-fA-F:]{0,30}:[0-9a-fA-F\.]{1,15})\]?" "[$ipv6Addr]:$proxyremoteport";
    }