mod_remoteip

最後更新: 2022-09-28

介紹

 

Client -> Proxy(nginx, cloudflare ...) -> Apache

功能

Replaces the original client IP address for the connection

with the useragent IP address list presented by a proxies via the request headers.

Enable this behavior from intermediate hosts (proxies, etc)

與其他 module 的互動

IP address is then used for the

  • mod_authz_host "Require ip" feature,
  • reported by mod_status
  • recorded by mod_log_config %a
    %h     <-- Proxy 的 IP
    %a     <-- Proxy 提供的 RemoteIPHeader 的 IP 值, 如果沒有就相當於 %h

 


Setting

 

RemoteIPHeader

# header-field header as the useragent IP address

# subject to further configuration of the RemoteIPInternalProxy and RemoteIPTrustedProxy directives.

RemoteIPHeader header-field

header 內有多 IP 時

When multiple, comma delimited useragent IP addresses are listed in the header value,

they are processed in Right-to-Left order.

Processing halts when a given useragent IP address is not trusted to present the preceding IP address.

The header field is updated to this remaining list of unconfirmed IP addresses,

or if all IP addresses were trusted, this header is removed from the request altogether.

RemoteIPTrustedProxy

# Adds one or more addresses (or address blocks) to trust as presenting a valid RemoteIPHeader value

RemoteIPTrustedProxy proxy-ip proxy-ip/subnet hostname ...

RemoteIPInternalProxy

# Any IP address presented in this header, including private intranet addresses, are trusted

# (including the 10/8, 172.16/12, 192.168/16, 169.254/16 and 127/8 blocks)

RemoteIPInternalProxy proxy-ip|proxy-ip/subnet|hostname ...

RemoteIPInternalProxyList

A file parsed at startup, and builds a list of addresses (or address blocks) to trust

RemoteIPInternalProxyList ip-list.txt

ip-list.txt

'#' hash character designates a comment line

# Our internally trusted proxies;
10.0.2.0/24          #Everyone in the testing group
gateway.localdomain  #The front end balancer

 


Example

 

Reverve proxy ( client --> nginx --> apache )

Setting

conf.modules.d/00-base.conf

# Centos 7 的 Apache2.4 包含了此 module 並預設載入了
LoadModule remoteip_module modules/mod_remoteip.so

conf.modules.d/11-remoteip.conf

# treat the value of the specified header-field header as the useragent IP address
RemoteIPHeader         X-Forwarded-For

# Any IP address presented in "X-Forwarded-For" header are trusted
RemoteIPInternalProxy  127.0.0.1 10.0.2.0/24

Log Settings

# file: conf/httpd.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

# 原 log format 係用 "combined" 的 "%h", 所以加入新的 log format: BACKEND
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" BACKEND

# vhosts.conf

# 改用新的 log format: BACKEND

CustomLog "${Path}/logs/access.log" BACKEND

 

 

Creative Commons license icon Creative Commons license icon