测试环境
IP相关信息
VPC环境
ECS内网IP:10.0.xx.177
ECS公网IP:121.196.xx.22
SLB的IP:118.178.xx.145 http监听 80端口
WAF测试域名:test.pierxx.cn
WAF测试域名对应Cname:rxqetx2tcwmn7oqjmykc0xxxx.aliyunwaf.com (101.37.xx.177)
高防测试域名对应Cname: 89xxxxxbag6.gfnormal07ai.com (116.211.xxx.155)
版本信息
[root@iZbp106q0xxxxx1hrrgbedZ ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Oct 19 2017 20:39:16
[root@iZbp106q0xxx1hrrgbedZ ~]# uname -a
Linux iZbp106q0xxxhrrgbedZ 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 22:26:13 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@iZbp106qxxxxgbedZ ~]# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.4.1708 (Core)
Release: 7.4.1708
Codename: Core
[root@iZbp106xxxxrrgbedZ ~]#安装的配置目录结构
[root@iZbp106q07wxxxxdZ httpd]# pwd
/etc/httpd
[root@iZbp106q07xxxxgbedZ httpd]# tree
.
├── conf
│ ├── httpd.conf
│ └── magic
├── conf.d
│ ├── autoindex.conf
│ ├── README
│ ├── userdir.conf
│ └── welcome.conf
├── conf.modules.d
│ ├── 00-base.conf
│ ├── 00-dav.conf
│ ├── 00-lua.conf
│ ├── 00-mpm.conf
│ ├── 00-proxy.conf
│ ├── 00-systemd.conf
│ └── 01-cgi.conf
├── logs -> ../../var/log/httpd
├── modules -> ../../usr/lib64/httpd/modules
└── run -> /run/httpd
6 directories, 13 files配置vhost
[root@iZbp106q0xxxxxbedZ conf.d]# cat httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.localhost
DocumentRoot "/webroot"
ServerName test.pixxx.cn
#ServerAlias localhost
ErrorLog "logs/fexxan.localhost-error.log"
CustomLog "logs/fxxan-access.log" common
<Directory /webroot>
Options -Indexes +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
[root@iZbp106q07wqxxxxxedZ conf.d]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[root@iZbp106q07xxxxrrgbedZ conf.d]#mod_remoteip方法
1、验证模块
[root@iZbp106q07wxxxxZ httpd]# cat conf.modules.d/* | grep mod_remoteip
LoadModule remoteip_module modules/mod_remoteip.so
[root@iZbp106q07wxxxxdZ httpd]# cat conf/* | grep conf.modules
Include conf.modules.d/*.conf
[root@iZbp106q07xxxxrgbedZ httpd]#apachectl -M | grep remoteip_module
remoteip_module (shared)如上内容,模块mod_remoteip已经安装 已经加载了,关于该模块的介绍请点这里。
2、修改配置
在主配置文件中加入:%{X-Forwarded-For}i
路径:/etc/httpd/conf/httpd.conf
配置修改前
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>配置修改后
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>3、生效确认
配置前
100.116.xx.179 - - [07/Jan/2018:13:10:31 +0800] "GET / HTTP/1.0" 304 -
100.116.xx.177 - - [07/Jan/2018:13:10:33 +0800] "GET / HTTP/1.0" 304 -
100.116.xx.189 - - [07/Jan/2018:13:10:33 +0800] "GET / HTTP/1.0" 304 -
3.1、 一层转发
链路: Client->SLB->ECS
120.24.xx.201 100.116.x.150 - - [07/Jan/2018:13:36:10 +0800] "GET / HTTP/1.0" 200 3
120.24.x.201 100.116.x.202 - - [07/Jan/2018:13:36:11 +0800] "GET / HTTP/1.0" 200 3
120.24.x.201 100.116.x.136 - - [07/Jan/2018:13:36:12 +0800] "GET / HTTP/1.1" 200 33.2、二层转发
链路: Client->WAF->SLB->ECS
120.24.x.201, 120.27.x.39 100.116.x.204 - - [07/Jan/2018:13:44:56 +0800] "GET / HTTP/1.0" 200 3
120.24.x.201, 118.178.x.115 100.116.x.128 - - [07/Jan/2018:13:44:56 +0800] "GET / HTTP/1.1" 200 3
120.24.xx.201, 120.27.xx.52 100.116.xx.201 - - [07/Jan/2018:13:44:56 +0800] "GET / HTTP/1.1" 200 33.3、 三层转发
链路: Client->高防->WAF->SLB->ECS
120.24.x.201, 116.211.x.12, 120.27.x.33 100.116.x.233 - - [07/Jan/2018:14:24:53 +0800] "GET / HTTP/1.0" 200 3
120.24.x.201, 116.211.x.9, 120.27.x.50 100.116.x.217 - - [07/Jan/2018:14:24:53 +0800] "GET / HTTP/1.0" 200 3
120.24.x.201, 116.211.x.9, 120.27.x.39 100.116.x.213 - - [07/Jan/2018:14:24:53 +0800] "GET / HTTP/1.0" 200 3mod_rpaf方法
1、 验证模块
[root@iZbp106qxedZ httpd]# cat conf.modules.d/* | grep mod_rpaf
[root@iZbp106q0xbedZ httpd]# apachectl -M | grep mod_rpaf
[root@iZbp106xu1hrrgbedZ httpd]#mod_rpaf没有安装好,需要单独安装
安装过程不在此处描述
安装完成后的检查
[root@iZbp106q0xZ httpd]# cat conf.modules.d/* | grep mod_rpaf
LoadModule rpaf_module modules/mod_rpaf.so
[root@iZbp1xbedZ httpd]# apachectl -M | grep rpaf
rpaf_module (shared)2、 mod_rpaf 配置
文件路径:/etc/httpd/conf.modules.d/01-rpaf.conf
01-rpaf.conf该文件为新创建的。
[root@iZbp106q0x conf.modules.d]# cat 01-rpaf.conf
LoadModule rpaf_module modules/mod_rpaf.so
RPAF_Enable On
RPAF_ProxyIPs 0.0.0.0
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
RPAF_ForbidIfNotProxy Off3、 修改配置
在主配置文件中加入:%{X-Forwarded-For}i
路径:/etc/httpd/conf/httpd.conf
配置修改前
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>配置修改后
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
</IfModule>4、 生效确认
配置前
100.116.x.171 - - [07/Jan/2018:15:46:25 +0800] "GET / HTTP/1.0" 200 3
100.116.x.135 - - [07/Jan/2018:15:46:25 +0800] "GET / HTTP/1.1" 200 3
100.116.x.225 - - [07/Jan/2018:15:46:25 +0800] "GET / HTTP/1.0" 200 34.1、 一层转发
链路: Client->SLB->ECS
120.24.x.201 100.116.x.165 - - [07/Jan/2018:15:44:52 +0800] "GET / HTTP/1.0" 200 3
120.24.x.201 100.116.x.138 - - [07/Jan/2018:15:44:52 +0800] "GET / HTTP/1.1" 200 3
120.24.x.201 100.116.x.227 - - [07/Jan/2018:15:44:52 +0800] "GET / HTTP/1.0" 200 34.2、 二层转发
链路: Client->WAF->SLB->ECS
120.24.x.201, 118.178.x.117 100.116.x.167 - - [07/Jan/2018:15:47:23 +0800] "GET / HTTP/1.0" 200 3
120.24.x.201, 118.178.x.115 100.116.x.155 - - [07/Jan/2018:15:47:23 +0800] "GET / HTTP/1.0" 200 3
120.24.x.201, 120.27.x.39 100.116.x.142 - - [07/Jan/2018:15:47:23 +0800] "GET / HTTP/1.1" 200 34.3、 三层转发
链路: Client->高防->WAF->SLB->ECS
120.24.x.201, 116.211.x.14, 120.27.x.33 100.116.x.221 - - [07/Jan/2018:15:48:05 +0800] "GET / HTTP/1.0" 200 3
120.24.x.201, 116.211.x.3, 118.178.x.115 100.116.x.170 - - [07/Jan/2018:15:48:05 +0800] "GET / HTTP/1.0" 200 3
120.24.x.201, 116.211.x.18, 120.27.x.52 100.116.x.164 - - [07/Jan/2018:15:48:06 +0800] "GET / HTTP/1.0" 200 3