![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2022-09-28
介紹
Client -> Proxy(nginx, cloudflare ...) -> Apache
功能
Replaces the original client IP address for the connection
with the useragent IP address list presented by a proxies via the request headers.
Enable this behavior from intermediate hosts (proxies, etc)
與其他 module 的互動
IP address is then used for the
- mod_authz_host "Require ip" feature,
- reported by mod_status
-
recorded by mod_log_config %a
%h <-- Proxy 的 IP
%a <-- Proxy 提供的 RemoteIPHeader 的 IP 值, 如果沒有就相當於 %h
Setting
RemoteIPHeader
# header-field header as the useragent IP address
# subject to further configuration of the RemoteIPInternalProxy and RemoteIPTrustedProxy directives.
RemoteIPHeader header-field
header 內有多 IP 時
When multiple, comma delimited useragent IP addresses are listed in the header value,
they are processed in Right-to-Left order.
Processing halts when a given useragent IP address is not trusted to present the preceding IP address.
The header field is updated to this remaining list of unconfirmed IP addresses,
or if all IP addresses were trusted, this header is removed from the request altogether.
RemoteIPTrustedProxy
# Adds one or more addresses (or address blocks) to trust as presenting a valid RemoteIPHeader value
RemoteIPTrustedProxy proxy-ip proxy-ip/subnet hostname ...
RemoteIPInternalProxy
# Any IP address presented in this header, including private intranet addresses, are trusted
# (including the 10/8, 172.16/12, 192.168/16, 169.254/16 and 127/8 blocks)
RemoteIPInternalProxy proxy-ip|proxy-ip/subnet|hostname ...
RemoteIPInternalProxyList
A file parsed at startup, and builds a list of addresses (or address blocks) to trust
RemoteIPInternalProxyList ip-list.txt
ip-list.txt
'#' hash character designates a comment line
# Our internally trusted proxies; 10.0.2.0/24 #Everyone in the testing group gateway.localdomain #The front end balancer
Example
Reverve proxy ( client --> nginx --> apache )
Setting
conf.modules.d/00-base.conf
# Centos 7 的 Apache2.4 包含了此 module 並預設載入了 LoadModule remoteip_module modules/mod_remoteip.so
conf.modules.d/11-remoteip.conf
# treat the value of the specified header-field header as the useragent IP address RemoteIPHeader X-Forwarded-For # Any IP address presented in "X-Forwarded-For" header are trusted RemoteIPInternalProxy 127.0.0.1 10.0.2.0/24
Log Settings
# file: conf/httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined # 原 log format 係用 "combined" 的 "%h", 所以加入新的 log format: BACKEND LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" BACKEND
# vhosts.conf
# 改用新的 log format: BACKEND
CustomLog "${Path}/logs/access.log" BACKEND
