在 apache 中将 REMOTE_ADDR 设置为 X-Forwarded-For
在 Apache 位于反向代理(例如 Squid)后面的情况下,cgi 环境变量 REMOTE_ADDR 获取代理而不是客户端的地址。
但是,代理将设置一个名为 X-Forwarded-For 的标头来包含客户端的原始 IP 地址,以便 Apache 可以看到它。
问题是,我们如何让 Apache 将 REMOTE_ADDR 替换为 X-Forwarded-For 标头中的值,以便所有 Web 应用程序都能透明地看到正确的地址?
In a situation where Apache is sitting behind a reverse proxy (such as Squid), the cgi environment variable REMOTE_ADDR gets the address of the proxy rather than the client.
However, the proxy will set a header called X-Forwarded-For to contain the original IP address of the client so that Apache can see it.
The question is, how do we get Apache to replace REMOTE_ADDR with the value in the X-Forwarded-For header so that all of the web applications will transparently see the correct address?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
您可以使用 mod_rpaf 来实现这一点。 http://stderr.net/apache/rpaf/
You can use mod_rpaf for that. http://stderr.net/apache/rpaf/
请注意,如果请求经过多个代理,则 X-Forwarded-For 标头可能包含 IP 地址列表。在这种情况下,您通常需要最左边的 IP。您可以使用 SetEnvIf 提取此内容:
请注意使用 $1 设置 XFFCLIENTIP 环境变量以保存正则表达式中第一组的内容(在括号中)。
然后,您可以使用环境变量的值来设置标头(或在 Apache 日志格式中使用它,以便日志包含实际的客户端 IP)。
Note that the X-Forwarded-For header may contain a list of IP addresses if the request has traversed more than one proxy. In this case, you usually want the leftmost IP. You can extract this with a SetEnvIf:
Note the use of $1 to set the XFFCLIENTIP environment variable to hold the contents of the first group in the regex (in the parentheses).
Then you can use the value of the environment variable to set headers (or use it in Apache log formats so that the logs contain the actual client IP).
目前 apache 模块 mod_remoteip 是推荐的方法; rpaf 尚未得到可靠维护,并且可能会导致问题。
Currently apache module mod_remoteip is the recommended way to do this; rpaf hasn't been reliably maintained, and can cause problems.
除了前面提到的 mod_rpaf 之外,似乎 mod_extract_forwarded 也将执行此功能。
mod_extract_forwarded的一个优点是可以从适用于 RHEL/CentOS 服务器的 EPEL 获取它而 mod_rpaf 则不然。看来这两个模块都不允许您将代理服务器的整个子网列入白名单,这就是 CloudFlare 人员创建自己的插件的原因:mod_cloudflare 应该注意的是,它不像其他两个那样是通用工具;它包含 CloudFlare 子网的硬编码列表。
In addition to mod_rpaf as mentioned before, it appears that mod_extract_forwarded will perform this function as well.
One advantage to
mod_extract_forwardedis that it is available from EPEL for RHEL/CentOS servers whereasmod_rpafis not.It appears that neither of these two modules allow you to whitelist an entire subnet of proxy servers, which is why the CloudFlare folks created their own plugin: mod_cloudflare which, it should be noted, is not a general-purpose tool like the other two; it contains a hardcoded list of CloudFlare subnets.
是的,我们可以做到这一点。
只需在 PHP.ini 中添加一个 auto_prepend_file,例如
auto_prepend_file = "c:/prepend.php"并在此文件中添加以下内容:
您需要 apache 宽度的 MOD_REMOTEIP
RemoteIPHeader X-Real-IP。干杯,
吉雷马赫
Yes, we can do this.
Just add a auto_prepend_file in your PHP.ini like
auto_prepend_file = "c:/prepend.php"and in this file add this:
You need the MOD_REMOTEIP in apache width
RemoteIPHeader X-Real-IP.Cheers,
Guiremach
从Apache 2.4开始,有mod_remoteip 内置模块可以执行此操作。
启用
mod_remoteip(例如
a2enmod remoteip)创建可信IP范围列表(您从中接受远程IP标头的IP)。您可以将它们放入
conf/trusted-ranges.txt之类的文件中
将此行添加到 Apache 配置中:
更改日志文件格式以使用
%a而不是%h来记录客户端 IP。对于 Cloudflare,您需要信任其所有 IP 范围并使用自定义标头
CF-Connecting-IP:您可以像这样获取 Cloudflare 范围:
Since Apache 2.4 there is mod_remoteip built-in module that does this.
Enable
mod_remoteip(e.g.
a2enmod remoteip)Create a list of trusted IP ranges (the IPs from which you accept the remote IP header). You can put them in a file like
conf/trusted-ranges.txtAdd this line to the Apache config:
Change your log file formats to use
%ainstead of%hfor logging the client IP.For Cloudflare you need to trust all their IP ranges and use a custom header
CF-Connecting-IP:You can get Cloudflare ranges like this:
不幸的是,
在撰写本文时,freshports.org、people.apache.org 或 gist.github.com 上的向后移植和分叉都不起作用。它们都基于 apache httpd 2.3 的早期 alpha 版本,该版本既不与当前版本的 2.2 也不兼容 2.4。
因此,在浪费了几个小时的时间尝试调整向后移植以创建一个适用于 httpd 2.2 的真正可用的向后移植之后,我决定转向 httpd 2.4。在 httpd 2.4 中,mod_remoteip 可以顺利工作,即使负载均衡器具有永久保持活动连接(用于将来自不同实际客户端 IP 地址的请求代理到后端)也是如此。我不确定其他模块是否可以处理这种情况(在同一连接内的每个请求上更改客户端 IP 地址)。
Unfortunately,
at the time of this writing, none of the backports and forks at freshports.org, people.apache.org or gist.github.com worked. They were all based on an early alpha version of apache httpd 2.3 which was neither compatible with current versions of 2.2 nor 2.4.
So after hours of wasting time while trying to adjust the backports to create a real working one for httpd 2.2, I decided to move to httpd 2.4. Within httpd 2.4, mod_remoteip works smoothly, even if a load balancer has permanent keepalive connections which it uses to proxy requests from different actual client ip addresses to the backend. I'm not sure if the other modules can handle this situation (changing client ip addresses on each request within the same connection).
请记住,该值可能会被欺骗。请参阅http://blog.c22.cc/2011/04/22 /surveymonkey-ip-spoofing/ 查看具有跨站点脚本后果的现实示例。
Remember that this value can be spoofed. See http://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing/ for a real-life example with Cross-site Scripting consequences.
您可以安装模块mod_extract_forwarded并将MEFaccept参数设置为all。
You can install the module mod_extract_forwarded and set MEFaccept parameter to all.