当前位置

Apache安装mod_remoteip获取CDN背后访问者真实IP

James Qi 在 2021年6月17日 - 16:04 提交

去年就开始使用CloudFlare为网站加速,因为当时那个网站与访问者IP地址关系不大,所以没有特别处理CDN代理IP和访问者真实IP。今年添加的一个网站在做爬虫屏蔽的时候与用户真实IP有关,临时可以用简易的方式在PHP程序中获取:

if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
 $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP']; 
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
 $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; 
}

不过这样的话,如果有人故意在http head中添加假的'HTTP_CF_CONNECTING_IP'和'HTTP_X_FORWARDED_FOR'的时候,我们就会上当,存在安全隐患。

后来找到一个Apache上为CloudFlare开发的模块mod_cloudflare,安装后就可以解决上述问题。

但我们后来接入百度云加速就没有办法使用mod_cloudflare来显示真实IP了,在CloudFlare的官方网站帮助文件中说mod_cloudflare也不推荐,而是推荐mod_remoteip这个模块

Apache 2.4是直接启用mod_remoteip,我们现在的Apache 2.2是下载mod_remoteip-httpd22安装。

可以从Linux服务器上使用如下命令:

wget https://github.com/ttkzw/mod_remoteip-httpd22/archive/refs/heads/master.zip,

unzip mod_remoteip-httpd22-master.zip

cd mod_remoteip-httpd22-master

apxs -i -c -n mod_remoteip.so mod_remoteip.c

cp -pa /usr/lib64/httpd/modules/mod_remoteip.so /usr/local/apache/modules/

再修改httpd.conf:

#LoadModule cloudflare_module  modules/mod_cloudflare.so
LoadModule remoteip_module modules/mod_remoteip.so

<IfModule remoteip_module>

# 2021-5-29
# 接入了CloudFlare和百度云加速

# mod_remoteip-httpd22
# https://github.com/ttkzw/mod_remoteip-httpd22

# https://support.cloudflare.com/hc/en-us/articles/200170786
# https://www.cloudflare.com/ips/

RemoteIPHeader CF-Connecting-IP

RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17

RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32

# 百度云加速节点IP地址段(2021年3月2日更新)
# https://su.baidu.com/help/index.html#/10_changjianwenti/0_HIDE_FAQ/20_baiduyunjiasujiedianIPdizhiduan.md

RemoteIPHeader X-Forwarded-For

#  天津

RemoteIPTrustedProxy 111.32.135.0/24
RemoteIPTrustedProxy 111.32.136.0/24
RemoteIPTrustedProxy 111.32.134.0/24
RemoteIPTrustedProxy 125.39.174.0/24
RemoteIPTrustedProxy 125.39.239.0/24
RemoteIPTrustedProxy 125.39.238.0/24
RemoteIPTrustedProxy 42.81.6.0/24
RemoteIPTrustedProxy 42.81.8.0/24

#  重庆

RemoteIPTrustedProxy 119.84.92.0/24
RemoteIPTrustedProxy 119.84.93.0/24
RemoteIPTrustedProxy 113.207.100.0/24
RemoteIPTrustedProxy 113.207.101.0/24
RemoteIPTrustedProxy 113.207.102.0/24
RemoteIPTrustedProxy 221.178.56.0/24
RemoteIPTrustedProxy 221.178.57.0/24
RemoteIPTrustedProxy 221.178.58.0/26
RemoteIPTrustedProxy 119.84.1.0/24

#  上海

RemoteIPTrustedProxy 180.163.188.0/24
RemoteIPTrustedProxy 101.227.206.0/24
RemoteIPTrustedProxy 101.227.207.0/24
RemoteIPTrustedProxy 180.163.113.0/24
RemoteIPTrustedProxy 180.163.189.0/24
RemoteIPTrustedProxy 180.163.154.0/24
RemoteIPTrustedProxy 180.163.153.0/24

#  河北

RemoteIPTrustedProxy 61.182.137.0/24
RemoteIPTrustedProxy 61.182.136.0/24
RemoteIPTrustedProxy 220.195.22.0/24
RemoteIPTrustedProxy 220.195.21.0/25
RemoteIPTrustedProxy 111.63.67.0/24
RemoteIPTrustedProxy 111.63.68.0/24

#  西安

RemoteIPTrustedProxy 117.34.13.0/24
RemoteIPTrustedProxy 117.34.14.0/24
RemoteIPTrustedProxy 117.34.28.0/24
RemoteIPTrustedProxy 117.34.60.0/24
RemoteIPTrustedProxy 117.34.61.0/24
RemoteIPTrustedProxy 117.34.62.0/24

#  济南

RemoteIPTrustedProxy 119.188.97.0/24
RemoteIPTrustedProxy 119.188.9.0/24
RemoteIPTrustedProxy 119.188.14.0/24
RemoteIPTrustedProxy 119.188.132.0/24
RemoteIPTrustedProxy 60.217.232.0/24

#  广州

RemoteIPTrustedProxy 183.232.51.0/24
RemoteIPTrustedProxy 183.232.53.0/24
RemoteIPTrustedProxy 157.255.25.0/24
RemoteIPTrustedProxy 157.255.26.0/24
RemoteIPTrustedProxy 157.255.24.0/24

#  江苏

RemoteIPTrustedProxy 112.25.89.0/24
RemoteIPTrustedProxy 112.25.90.0/24
RemoteIPTrustedProxy 112.25.91.0/24

#  湖北

RemoteIPTrustedProxy 122.190.1.0/24
RemoteIPTrustedProxy 122.190.2.0/24
RemoteIPTrustedProxy 122.190.3.0/24
RemoteIPTrustedProxy 111.174.63.0/24
RemoteIPTrustedProxy 111.174.61.0/24

#  青岛

RemoteIPTrustedProxy 119.167.246.0/24
RemoteIPTrustedProxy 150.138.149.0/24
RemoteIPTrustedProxy 150.138.150.0/24
RemoteIPTrustedProxy 150.138.151.0/24

#  湖南

RemoteIPTrustedProxy 59.51.81.128/25
RemoteIPTrustedProxy 220.170.184.0/24
RemoteIPTrustedProxy 220.170.185.0/24
RemoteIPTrustedProxy 220.170.186.0/24

#  苏州

RemoteIPTrustedProxy 61.155.149.0/24
RemoteIPTrustedProxy 61.156.149.0/24
RemoteIPTrustedProxy 61.155.165.0/24
RemoteIPTrustedProxy 58.211.2.0/24
RemoteIPTrustedProxy 58.211.137.0/24

#  佛山

RemoteIPTrustedProxy 183.60.235.0/24
RemoteIPTrustedProxy 116.31.126.0/24
RemoteIPTrustedProxy 116.31.127.0/24

#  东莞

RemoteIPTrustedProxy 183.61.236.0/24
RemoteIPTrustedProxy 14.17.71.0/24
RemoteIPTrustedProxy 119.147.134.0/24
RemoteIPTrustedProxy 183.61.177.0/24
RemoteIPTrustedProxy 183.61.190.0/24

#  合肥

RemoteIPTrustedProxy 112.29.157.0/24
RemoteIPTrustedProxy 112.29.158.0/24
RemoteIPTrustedProxy 112.29.159.0/24

#  郑州

RemoteIPTrustedProxy 42.236.93.0/24
RemoteIPTrustedProxy 42.236.94.0/24
RemoteIPTrustedProxy 42.236.7.128/26
RemoteIPTrustedProxy 42.236.7.65/27

#  沈阳

RemoteIPTrustedProxy 124.95.168.128/25
RemoteIPTrustedProxy 124.95.188.0/24
RemoteIPTrustedProxy 124.95.191.0/24

#  宁波

RemoteIPTrustedProxy 115.231.186.0/24
RemoteIPTrustedProxy 115.231.187.0/24
RemoteIPTrustedProxy 122.246.5.0/24

#  湖州

RemoteIPTrustedProxy 61.241.118.0/24
RemoteIPTrustedProxy 101.69.175.0/24

#  南宁

RemoteIPTrustedProxy 222.216.190.0/24
RemoteIPTrustedProxy 219.159.84.0/24

#  金华

RemoteIPTrustedProxy 117.147.214.0/24
RemoteIPTrustedProxy 117.147.215.0/24

#  福州

RemoteIPTrustedProxy 117.27.149.0/24

#  北京

RemoteIPTrustedProxy 111.132.134.0/24

</IfModule>

再重启apache就可以了。

用以上办法设置后,我都在Drupal网站的日志中查看访问者IP(我自己来访问一个不存在的页面),如果日志中是真实IP就说明设置成功了。

注意如果以后CloudFlare或者百度云加速的IP名单有变化的话,也需要修改这里的配置中的列表。

添加新评论

Plain text

  • 不允许使用HTML标签。
  • 自动将网址与电子邮件地址转变为链接。
  • 自动断行和分段。