去年就开始使用CloudFlare为网站加速,因为当时那个网站与访问者IP地址关系不大,所以没有特别处理CDN代理IP和访问者真实IP。今年添加的一个网站在做爬虫屏蔽的时候与用户真实IP有关,临时可以用简易的方式在PHP程序中获取:
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
不过这样的话,如果有人故意在http head中添加假的'HTTP_CF_CONNECTING_IP'和'HTTP_X_FORWARDED_FOR'的时候,我们就会上当,存在安全隐患。
后来找到一个Apache上为CloudFlare开发的模块mod_cloudflare,安装后就可以解决上述问题。
但我们后来接入百度云加速就没有办法使用mod_cloudflare来显示真实IP了,在CloudFlare的官方网站帮助文件中说mod_cloudflare也不推荐,而是推荐mod_remoteip这个模块。
Apache 2.4是直接启用mod_remoteip,我们现在的Apache 2.2是下载mod_remoteip-httpd22安装。
可以从Linux服务器上使用如下命令:
wget https://github.com/ttkzw/mod_remoteip-httpd22/archive/refs/heads/master.zip, unzip mod_remoteip-httpd22-master.zip cd mod_remoteip-httpd22-master apxs -i -c -n mod_remoteip.so mod_remoteip.c cp -pa /usr/lib64/httpd/modules/mod_remoteip.so /usr/local/apache/modules/
再修改httpd.conf:
#LoadModule cloudflare_module modules/mod_cloudflare.so LoadModule remoteip_module modules/mod_remoteip.so <IfModule remoteip_module> # 2021-5-29 # 接入了CloudFlare和百度云加速 # mod_remoteip-httpd22 # https://github.com/ttkzw/mod_remoteip-httpd22 # https://support.cloudflare.com/hc/en-us/articles/200170786 # https://www.cloudflare.com/ips/ RemoteIPHeader CF-Connecting-IP RemoteIPTrustedProxy 103.21.244.0/22 RemoteIPTrustedProxy 103.22.200.0/22 RemoteIPTrustedProxy 103.31.4.0/22 RemoteIPTrustedProxy 104.16.0.0/13 RemoteIPTrustedProxy 104.24.0.0/14 RemoteIPTrustedProxy 108.162.192.0/18 RemoteIPTrustedProxy 131.0.72.0/22 RemoteIPTrustedProxy 141.101.64.0/18 RemoteIPTrustedProxy 162.158.0.0/15 RemoteIPTrustedProxy 172.64.0.0/13 RemoteIPTrustedProxy 173.245.48.0/20 RemoteIPTrustedProxy 188.114.96.0/20 RemoteIPTrustedProxy 190.93.240.0/20 RemoteIPTrustedProxy 197.234.240.0/22 RemoteIPTrustedProxy 198.41.128.0/17 RemoteIPTrustedProxy 2400:cb00::/32 RemoteIPTrustedProxy 2606:4700::/32 RemoteIPTrustedProxy 2803:f800::/32 RemoteIPTrustedProxy 2405:b500::/32 RemoteIPTrustedProxy 2405:8100::/32 RemoteIPTrustedProxy 2a06:98c0::/29 RemoteIPTrustedProxy 2c0f:f248::/32 # 百度云加速节点IP地址段(2021年3月2日更新) # https://su.baidu.com/help/index.html#/10_changjianwenti/0_HIDE_FAQ/20_baiduyunjiasujiedianIPdizhiduan.md RemoteIPHeader X-Forwarded-For # 天津 RemoteIPTrustedProxy 111.32.135.0/24 RemoteIPTrustedProxy 111.32.136.0/24 RemoteIPTrustedProxy 111.32.134.0/24 RemoteIPTrustedProxy 125.39.174.0/24 RemoteIPTrustedProxy 125.39.239.0/24 RemoteIPTrustedProxy 125.39.238.0/24 RemoteIPTrustedProxy 42.81.6.0/24 RemoteIPTrustedProxy 42.81.8.0/24 # 重庆 RemoteIPTrustedProxy 119.84.92.0/24 RemoteIPTrustedProxy 119.84.93.0/24 RemoteIPTrustedProxy 113.207.100.0/24 RemoteIPTrustedProxy 113.207.101.0/24 RemoteIPTrustedProxy 113.207.102.0/24 RemoteIPTrustedProxy 221.178.56.0/24 RemoteIPTrustedProxy 221.178.57.0/24 RemoteIPTrustedProxy 221.178.58.0/26 RemoteIPTrustedProxy 119.84.1.0/24 # 上海 RemoteIPTrustedProxy 180.163.188.0/24 RemoteIPTrustedProxy 101.227.206.0/24 RemoteIPTrustedProxy 101.227.207.0/24 RemoteIPTrustedProxy 180.163.113.0/24 RemoteIPTrustedProxy 180.163.189.0/24 RemoteIPTrustedProxy 180.163.154.0/24 RemoteIPTrustedProxy 180.163.153.0/24 # 河北 RemoteIPTrustedProxy 61.182.137.0/24 RemoteIPTrustedProxy 61.182.136.0/24 RemoteIPTrustedProxy 220.195.22.0/24 RemoteIPTrustedProxy 220.195.21.0/25 RemoteIPTrustedProxy 111.63.67.0/24 RemoteIPTrustedProxy 111.63.68.0/24 # 西安 RemoteIPTrustedProxy 117.34.13.0/24 RemoteIPTrustedProxy 117.34.14.0/24 RemoteIPTrustedProxy 117.34.28.0/24 RemoteIPTrustedProxy 117.34.60.0/24 RemoteIPTrustedProxy 117.34.61.0/24 RemoteIPTrustedProxy 117.34.62.0/24 # 济南 RemoteIPTrustedProxy 119.188.97.0/24 RemoteIPTrustedProxy 119.188.9.0/24 RemoteIPTrustedProxy 119.188.14.0/24 RemoteIPTrustedProxy 119.188.132.0/24 RemoteIPTrustedProxy 60.217.232.0/24 # 广州 RemoteIPTrustedProxy 183.232.51.0/24 RemoteIPTrustedProxy 183.232.53.0/24 RemoteIPTrustedProxy 157.255.25.0/24 RemoteIPTrustedProxy 157.255.26.0/24 RemoteIPTrustedProxy 157.255.24.0/24 # 江苏 RemoteIPTrustedProxy 112.25.89.0/24 RemoteIPTrustedProxy 112.25.90.0/24 RemoteIPTrustedProxy 112.25.91.0/24 # 湖北 RemoteIPTrustedProxy 122.190.1.0/24 RemoteIPTrustedProxy 122.190.2.0/24 RemoteIPTrustedProxy 122.190.3.0/24 RemoteIPTrustedProxy 111.174.63.0/24 RemoteIPTrustedProxy 111.174.61.0/24 # 青岛 RemoteIPTrustedProxy 119.167.246.0/24 RemoteIPTrustedProxy 150.138.149.0/24 RemoteIPTrustedProxy 150.138.150.0/24 RemoteIPTrustedProxy 150.138.151.0/24 # 湖南 RemoteIPTrustedProxy 59.51.81.128/25 RemoteIPTrustedProxy 220.170.184.0/24 RemoteIPTrustedProxy 220.170.185.0/24 RemoteIPTrustedProxy 220.170.186.0/24 # 苏州 RemoteIPTrustedProxy 61.155.149.0/24 RemoteIPTrustedProxy 61.156.149.0/24 RemoteIPTrustedProxy 61.155.165.0/24 RemoteIPTrustedProxy 58.211.2.0/24 RemoteIPTrustedProxy 58.211.137.0/24 # 佛山 RemoteIPTrustedProxy 183.60.235.0/24 RemoteIPTrustedProxy 116.31.126.0/24 RemoteIPTrustedProxy 116.31.127.0/24 # 东莞 RemoteIPTrustedProxy 183.61.236.0/24 RemoteIPTrustedProxy 14.17.71.0/24 RemoteIPTrustedProxy 119.147.134.0/24 RemoteIPTrustedProxy 183.61.177.0/24 RemoteIPTrustedProxy 183.61.190.0/24 # 合肥 RemoteIPTrustedProxy 112.29.157.0/24 RemoteIPTrustedProxy 112.29.158.0/24 RemoteIPTrustedProxy 112.29.159.0/24 # 郑州 RemoteIPTrustedProxy 42.236.93.0/24 RemoteIPTrustedProxy 42.236.94.0/24 RemoteIPTrustedProxy 42.236.7.128/26 RemoteIPTrustedProxy 42.236.7.65/27 # 沈阳 RemoteIPTrustedProxy 124.95.168.128/25 RemoteIPTrustedProxy 124.95.188.0/24 RemoteIPTrustedProxy 124.95.191.0/24 # 宁波 RemoteIPTrustedProxy 115.231.186.0/24 RemoteIPTrustedProxy 115.231.187.0/24 RemoteIPTrustedProxy 122.246.5.0/24 # 湖州 RemoteIPTrustedProxy 61.241.118.0/24 RemoteIPTrustedProxy 101.69.175.0/24 # 南宁 RemoteIPTrustedProxy 222.216.190.0/24 RemoteIPTrustedProxy 219.159.84.0/24 # 金华 RemoteIPTrustedProxy 117.147.214.0/24 RemoteIPTrustedProxy 117.147.215.0/24 # 福州 RemoteIPTrustedProxy 117.27.149.0/24 # 北京 RemoteIPTrustedProxy 111.132.134.0/24 </IfModule>
再重启apache就可以了。
用以上办法设置后,我都在Drupal网站的日志中查看访问者IP(我自己来访问一个不存在的页面),如果日志中是真实IP就说明设置成功了。
注意如果以后CloudFlare或者百度云加速的IP名单有变化的话,也需要修改这里的配置中的列表。
自由标签
评论