Добрый день. Подскажите, как настроить получение правильного IP на сервере с apache за прокси?
На сервере с apache reverse proxy логи приходят правильные
Из локальной сети:
10.0.25.25 - - [10/Nov/2020:12:21:50 +0300] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 267 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36"
10.0.25.25 - - [10/Nov/2020:12:21:52 +0300] "POST /index.php/apps/text/session/sync HTTP/1.1" 200 1504 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36"
10.0.25.25 - - [10/Nov/2020:12:21:58 +0300] "POST /index.php/apps/text/session/sync HTTP/1.1" 200 2032 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36"
Из интернета (за NAT):
188.170.XX.XXX - - [10/Nov/2020:12:22:04 +0300] "GET /index.php/login HTTP/1.1" 200 6436 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Mobile/15E148 Safari/604.1"
10.0.25.25 - - [10/Nov/2020:12:22:04 +0300] "POST /index.php/apps/text/session/sync HTTP/1.1" 200 2032 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36"
188.170.XX.XXX - - [10/Nov/2020:12:22:04 +0300] "GET /index.php/core/js/oc.js?v=cea31a8e HTTP/1.1" 200 10342 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Mobile/15E148 Safari/604.1"
188.170.XX.XXX - - [10/Nov/2020:12:22:04 +0300] "GET /apps/theming/image/background HTTP/1.1" 404 10973 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Mobile/15E148 Safari/604.1"
Вот что в логе на конечном сервере (LogFormat "%a %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined)
Из локальной сети:
10.0.7.84 10.0.25.25 - - [10/Nov/2020:12:17:52 +0300] "GET /index.php/core/preview?fileId=1171&x=32&y=32 HTTP/1.1" 404 826 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36"
10.0.7.84 10.0.25.25 - - [10/Nov/2020:12:17:52 +0300] "GET /index.php/core/preview?fileId=1329&x=32&y=32 HTTP/1.1" 404 826 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36"
Из интернета:
188.170.XX.XXX 10.0.7.84 - - [10/Nov/2020:12:18:01 +0300] "GET /index.php/core/js/oc.js?v=cea31a8e HTTP/1.1" 200 10301 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Mobile/15E148 Safari/604.1"
188.170.XX.XXX 10.0.7.84 - - [10/Nov/2020:12:18:01 +0300] "GET /apps/theming/image/background HTTP/1.1" 404 9397 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Mobile/15E148 Safari/604.1"
Настройка Proxy:
<VirtualHost *:80>
ServerName nc-test.domain.ru
Redirect permanent / https://nc-test.domain.ru/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin sysmsg@domain.ru
DocumentRoot /var/www/html
ServerName nc-test.domain.ru
ErrorLog ${APACHE_LOG_DIR}/nc-test.domain.ru.error.log
CustomLog ${APACHE_LOG_DIR}/nc-test.domain.ru.access.log combined
TransferLog ${APACHE_LOG_DIR}/nc-test.domain.ru.ssl.log
SSLEngine On
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyVia full
ProxyHTMLInterp On
ProxyHTMLExtended On
<proxy *>
Order deny,allow
Allow from all
</proxy>
ProxyPass / https://10.0.7.136/
ProxyPassReverse / https://10.0.7.136/
SSLCertificateFile /etc/letsencrypt/live/nc-test.domain.ru/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nc-test.domain.ru/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
Настройка клиента:
<VirtualHost *:80>
ServerName nc-test.domain.ru
ServerAlias nc-test2.domain.ru
Redirect / https://nc-test.domain.ru/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin sysmsg@domain.ru
ServerAlias nc-test2.domain.ru
DocumentRoot /var/www/nextcloud
ServerName nc-test.domain.ru
ErrorLog ${APACHE_LOG_DIR}/nc-test.domain.ru.error.log
CustomLog ${APACHE_LOG_DIR}/nc-test.domain.ru.access.log combined
TransferLog ${APACHE_LOG_DIR}/nc-test.domain.ru.ssl.log
SSLEngine On
SSLCertificateFile /etc/ssl/test/public.crt
SSLCertificateKeyFile /etc/ssl/test/private.rsa
Protocols h2 http/1.1
<Directory /var/www/nextcloud>
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
<IfModule remoteip_module>
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 127.0.0.1 10.0.7.84
RemoteIPInternalProxy 127.0.0.1 10.0.7.84
</IfModule>
</VirtualHost>
remoteip включен
rpaf.conf включен
<IfModule rpaf_module>
RPAFenable On
# When enabled, take the incoming X-Host header and
# update the virtualhost settings accordingly:
RPAFsethostname On
# Define which IP's are your frontend proxies that sends
# the correct X-Forwarded-For headers:
#RPAFproxy_ips 10.0.7.84 127.0.0.1 ::1
RPAFproxy_ips 127.0.0.1 ::1 10.0.7.84
# Change the header name to parse from the default
# X-Forwarded-For to something of your choice:
RPAFheader X-Real-IP
#RPAF_Header X-Forwarded-For
#RPAF_SetHTTPS On
</IfModule>
Простой
Простой
