在内网环境中,我有一个相对复杂的场景,都在同一台服务器上:
IIS server acting as a reverse proxy listening on 443
forwards matching requests to localhost:1080/redmine
Apache reverse proxy is listening on 1080
forwards matching requests to localhost:3001 or localhost:3002 (thin servers in front of Redmine)
Thin1 and Thin2 web servers listening on 3001 and 3002 to handle requests
问题是 Apache 的remoteip
模块似乎忽略了X-Forwarded-For
标头。配置如下:
# in the httpd.conf file
LoadModule remoteip_module modules/mod_remoteip.so
# elsewhere, in a VirtualHost declaration
# define the header to use to retrieve the remote ip address
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1 10.101.24.161 ::1
# for debugging only
LogFormat "%a %h %{c}a *** %{x-forwarded-for}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" redmine
#LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" redmine
CustomLog "logs/access-redmine.log" redmine
通过上述调试LogFormat
,我预计,根据文档,该%a
令牌包含原始客户端的 IP。但是,我得到了这个:
::1 ::1 ::1 *** 10.106.33.206, 10.106.33.206:63804 - - [07/Sep/2022:16:08:24 +0200] "GET /redmine/projects HTTP/1.1" 200 10718 "https://redacted.org/redmine/my/account" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
%a
或%{c}a
(参见这里) 应该包含客户端 IP,但实际上,两者都包含反向代理的 IP ::1
。实际的客户端 IP 在日志行中10.106.33.206
通过%{x-forwarded-for}i
令牌可见,这顺便证明了 HTTP 标头已由 IIS 成功填充。
RemoteIPTrustedProxy
我尝试了、等各种排列RemoteIPInternalProxy
,但没有一个能够成功地%a
用原始客户端的 IP 地址填充令牌。
(一个显然类似的问题没有回答我的问题。)