我的服务器位于反向代理 nginx 后面,但是客户端访问的 ip 在 apache 日志中显示如下,看起来很正常,日志中没有 x-forward 的内容。
103.221.234.206 - - [28/Feb/2024:14:37:29 +0800] "GET /styles/pke/?mejiku=zeus138 HTTP/1.1" 404 3888 "https://x.y.z.a/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Vivaldi/5.3.2679.68"
65.109.34.52 - - [28/Feb/2024:14:37:29 +0800] "GET /index.php/index/user/register HTTP/1.1" 200 9568 "https://x.y.z.a/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/22.7.0 Yowser/2.5 Safari/537.36"
103.221.234.206 - - [28/Feb/2024:14:37:31 +0800] "GET / HTTP/1.1" 200 8561 "https://x.y.z.a" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Vivaldi/5.3.2679.68"
194.32.229.95 - - [28/Feb/2024:14:37:32 +0800] "GET /index.php/index/user/register HTTP/1.1" 200 9487 "https://x.y.z.a/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/22.7.0 Yowser/2.5 Safari/537.36"
接下来.. 配置 fail2ban 很好,但 iptables 无法阻止来自 ip public 的 ip。我的 iptables 显示如下。它仅在禁止本地 ip 时有效。
Chain INPUT (policy DROP 22909 packets, 8800K bytes)
pkts bytes target prot opt in out source destination
691K 72M f2b-apache-noscript tcp -- any any anywhere anywhere multiport dports http,https
690K 85M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
76 4560 ACCEPT all -- lo any anywhere anywhere
1 60 ACCEPT icmp -- any any anywhere anywhere
1 64 ACCEPT tcp -- any any 10.0.0.0/8 anywhere tcp dpt:ssh
807 42768 ACCEPT tcp -- any any 10.0.0.0/8 anywhere tcp dpt:webmin
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
34019 2040K ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 720K packets, 2306M bytes)
pkts bytes target prot opt in out source destination
Chain f2b-apache-noscript (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any 77.111.244.49 anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any 103.151.140.101 anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any 20.125.101.243 anywhere reject-with icmp-port-unreachable
我的 iptables 无法跟上被阻止的特定 IP 的流量。
我应该怎么做才能使我的 fail2ban 正常工作,而无需改变服务器位于反向代理后面的网络拓扑。
答案1
类似案例,并在这里完美解决:关联