当我将流量转发到我编写的基于 Go 的服务器时,我无法让 OSX Server 的 Apache 服务代理保留客户端的 IP 地址。
因为我有 OSX Server 的“网站”功能关掉并想保持原样,我跟着这些说明使用服务代理代理流量。配置文件/Library/Server/Web/Config/Proxy/apache_serviceproxy_customsites_ext.conf包含:
<VirtualHost *:443>
ServerName my.host.com:443
ProxyPreserveHost On
SetEnv proxy-chain-auth on
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
RequestHeader unset Proxy early
<IfModule mod_ssl.c>
SSLEngine On
SSLCertificateFile "/etc/letsencrypt/live/my.host.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/my.host.com/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/my.host.com/chain.pem"
SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
SSLProtocol -all +TLSv1.2
SSLProxyEngine On
SSLProxyProtocol -all +TLSv1.2
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
</IfModule>
<IfModule mod_secure_transport.c>
MSTEngine On
MSTIdentity ${MST_IDENTITY}
MSTCipherSuite HIGH, MEDIUM
MSTProtocolRange TLSv1.2 TLSv1.2
MSTProxyEngine On
MSTProxyProtocolRange SSLv3 TLSv1.2
</IfModule>
ProxyPass /sub/ http://localhost:8080/
ProxyPassReverse /sub/ http://localhost:8080/
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://localhost:8080%{REQUEST_URI} [P]
</VirtualHost>
com.apple.serviceproxy.plist使用 重启 LaunchDaemon后launchctl,效果很好!流量到https://my.host.com/sub/被路由到另一个正在监听的服务:8080
但是,所有请求都显示客户端的 IP 地址为::1。甚至X-Forwarded-For标头也包含::1,当我这样做时,tail -f /var/log/apache2/service_proxy_access.log所有请求都记录如下:
my.host.com "my.host.com" ::1 - - [26/Mar/2018:10:13:34 -0700] "GET /sub/ HTTP/1.1" 200 8164 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
我对 Apache 或 OSX Server 不是很熟悉。我需要启用或修复某些配置才能获取真实客户端的 IP 地址吗?是否有一些我没有想到的 OSX Server 组件?