Nginx

nginx 代理到 apache - 未記錄遠端 IP

  • February 23, 2019

我有 nginx 終止網站並使用 PHP-FPM 將它們代理到 Apache。我正在嘗試在 apache 日誌中記錄客戶端 IP,但似乎無法使其正常工作。

nginx配置

server {
 listen         80;
 server_name    www.website.com;

 location ^~ /.well-known/acme-challenge/ {
     alias /var/www/dehydrated/;
 }

 location / {
     return         301 https://$server_name$request_uri;
 }
}

server {
 listen 443 ssl http2;
 server_name www.website.com;

 location / {
     proxy_pass http://1.2.3.4:80;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_read_timeout 600;
     proxy_buffer_size   128k;
     proxy_buffers   4 256k;
     proxy_busy_buffers_size   256k;
     client_max_body_size 100M;
 }

 location ~ /\.ht {
     deny all;
 }

 ssl_certificate_key /etc/nginx/ssl/www.website.com/privkey.pem;
 ssl_certificate /etc/nginx/ssl/www.website.com/fullchain.pem;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_prefer_server_ciphers on;
 ssl_dhparam /etc/nginx/ssl/dhparams.pem;
}

阿帕奇配置

 <VirtualHost *:80>

   ServerName www.website.com
   ServerAlias origin.www.website.com

   ServerAdmin jd@automatem.co.nz

   DocumentRoot /var/www/www.website.com/trunk

   <IfModule mpm_itk_module>
         AssignUserId www_arenz www_arenz
   </IfModule>
   CustomLog /var/www/www.website.com/apachelogs/www.website.com-access.log combined
   ErrorLog /var/www/www.website.com/apachelogs/www.website.com-error.log

     <FilesMatch "\.php$">
         CGIPassAuth on
         SetHandler "proxy:fcgi://127.0.0.1:9115/
     </FilesMatch>

     RemoteIPHeader X-Real-IP
     RemoteIPTrustedProxy 2.3.4.5/32


 </VirtualHost>

Apache日誌總是顯示2.3.4.5作為客戶端的IP地址,也就是nginx的公網IP地址

你可以試試這個解決方案:

當 RemoteIPHeader X-Forwarded-For 存在時,Apache 不記錄 remoteIP

# Log format config
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "logs/access_log" common env=forwarded

# Header config
RemoteIPHeader X-Real-IP
RemoteIPHeader X-Client-IP
RemoteIPInternalProxy 192.168.10.10 192.168.10.11

此外,日誌並用%h。設置%a,它告訴 Apache 記錄由 mod_remoteip( %a) 而不是 hostname( %h)記錄的客戶端 IP

供你參考:

https://httpd.apache.org/docs/2.4/logs.html#accesslog

https://www.techstacks.com/howto/log-client-ip-and-xforwardedfor-ip-in-apache.html

希望這可以幫到你

引用自:https://serverfault.com/questions/951379