Apache 的 remoteip 模块未填充 client_ip

Apache 的 remoteip 模块未填充 client_ip

在内网环境中,我有一个相对复杂的场景,都在同一台服务器上:

IIS server acting as a reverse proxy listening on 443
forwards matching requests to localhost:1080/redmine

Apache reverse proxy is listening on 1080
forwards matching requests to localhost:3001 or localhost:3002 (thin servers in front of Redmine)

Thin1 and Thin2 web servers listening on 3001 and 3002 to handle requests

问题是 Apache 的remoteip模块似乎忽略了X-Forwarded-For标头。配置如下:

# in the httpd.conf file
LoadModule remoteip_module modules/mod_remoteip.so

# elsewhere, in a VirtualHost declaration

    # define the header to use to retrieve the remote ip address
    RemoteIPHeader X-Forwarded-For
    RemoteIPInternalProxy 127.0.0.1 10.101.24.161 ::1
    # for debugging only
    LogFormat "%a %h %{c}a *** %{x-forwarded-for}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" redmine
    #LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" redmine
    CustomLog "logs/access-redmine.log" redmine

通过上述调试LogFormat,我预计,根据文档,该%a令牌包含原始客户端的 IP。但是,我得到了这个:

::1 ::1 ::1 *** 10.106.33.206, 10.106.33.206:63804 - - [07/Sep/2022:16:08:24 +0200] "GET /redmine/projects HTTP/1.1" 200 10718 "https://redacted.org/redmine/my/account" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

%a%{c}a(参见这里) 应该包含客户端 IP,但实际上,两者都包含反向代理的 IP ::1。实际的客户端 IP 在日志行中10.106.33.206通过%{x-forwarded-for}i令牌可见,这顺便证明了 HTTP 标头已由 IIS 成功填充。

RemoteIPTrustedProxy我尝试了、等各种排列RemoteIPInternalProxy,但没有一个能够成功地%a用原始客户端的 IP 地址填充令牌。

(一个显然类似的问题没有回答我的问题。)

相关内容