测试环境

IP相关信息

VPC环境

ECS内网IP：10.0.xx.177ECS公网IP：121.196.xx.22SLB的IP：118.178.xx.145 http监听 80端口 WAF测试域名：test.pierxx.cnWAF测试域名对应Cname：rxqetx2tcwmn7oqjmykc0xxxx.aliyunwaf.com (101.37.xx.177)高防测试域名对应Cname: 89xxxxxbag6.gfnormal07ai.com (116.211.xxx.155)

版本信息

[root@iZbp106q0xxxxx1hrrgbedZ ~]# httpd -vServer version: Apache/2.4.6 (CentOS)Server built:   Oct 19 2017 20:39:16[root@iZbp106q0xxx1hrrgbedZ ~]# uname -aLinux iZbp106q0xxxhrrgbedZ 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 22:26:13 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux[root@iZbp106qxxxxgbedZ ~]# lsb_release -aLSB Version:    :core-4.1-amd64:core-4.1-noarchDistributor ID:    CentOSDescription:    CentOS Linux release 7.4.1708 (Core)Release:    7.4.1708Codename:    Core[root@iZbp106xxxxrrgbedZ ~]#

安装的配置目录结构

[root@iZbp106q07wxxxxdZ httpd]# pwd/etc/httpd[root@iZbp106q07xxxxgbedZ httpd]# tree.├── conf│   ├── httpd.conf│   └── magic├── conf.d│   ├── autoindex.conf│   ├── README│   ├── userdir.conf│   └── welcome.conf├── conf.modules.d│   ├── 00-base.conf│   ├── 00-dav.conf│   ├── 00-lua.conf│   ├── 00-mpm.conf│   ├── 00-proxy.conf│   ├── 00-systemd.conf│   └── 01-cgi.conf├── logs -> ../../var/log/httpd├── modules -> ../../usr/lib64/httpd/modules└── run -> /run/httpd6 directories, 13 files

配置vhost

[root@iZbp106q0xxxxxbedZ conf.d]# cat httpd-vhosts.conf
    
     ServerAdmin webmaster@dummy-host.localhostDocumentRoot "/webroot"ServerName test.pixxx.cn#ServerAlias localhostErrorLog "logs/fexxan.localhost-error.log"CustomLog "logs/fxxan-access.log" common
     
        Options -Indexes +FollowSymlinks  AllowOverride All  Require all granted
     
    [root@iZbp106q07wqxxxxxedZ conf.d]# service httpd  restartRedirecting to /bin/systemctl restart httpd.service[root@iZbp106q07xxxxrrgbedZ conf.d]#

mod_remoteip方法

1、验证模块

[root@iZbp106q07wxxxxZ httpd]# cat conf.modules.d/* | grep mod_remoteipLoadModule remoteip_module modules/mod_remoteip.so[root@iZbp106q07wxxxxdZ httpd]# cat conf/* | grep conf.modulesInclude conf.modules.d/*.conf[root@iZbp106q07xxxxrgbedZ httpd]#apachectl -M  | grep remoteip_module remoteip_module (shared)

如上内容，模块mod_remoteip已经安装 已经加载了，关于该模块的介绍请点。

2、修改配置

在主配置文件中加入：%{X-Forwarded-For}i路径：/etc/httpd/conf/httpd.conf配置修改前

    
         #    # The following directives define some format nicknames for use with    # a CustomLog directive (see below).    #    LogFormat "%h  %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined    LogFormat "%h  %l %u %t \"%r\" %>s %b" common    
     
            # You need to enable mod_logio.c to use %I and %O      LogFormat "%h  %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio    
     
    

配置修改后

    
         #    # The following directives define some format nicknames for use with    # a CustomLog directive (see below).    #    LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined    LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common    
     
            # You need to enable mod_logio.c to use %I and %O      LogFormat "%h %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio    
     
    

3、生效确认

配置前

100.116.xx.179 - - [07/Jan/2018:13:10:31 +0800] "GET / HTTP/1.0" 304 -100.116.xx.177 - - [07/Jan/2018:13:10:33 +0800] "GET / HTTP/1.0" 304 -100.116.xx.189 - - [07/Jan/2018:13:10:33 +0800] "GET / HTTP/1.0" 304 -

3.1、 一层转发

链路： Client->SLB->ECS

120.24.xx.201 100.116.x.150  - - [07/Jan/2018:13:36:10 +0800] "GET / HTTP/1.0" 200 3120.24.x.201 100.116.x.202  - - [07/Jan/2018:13:36:11 +0800] "GET / HTTP/1.0" 200 3120.24.x.201 100.116.x.136  - - [07/Jan/2018:13:36:12 +0800] "GET / HTTP/1.1" 200 3

3.2、二层转发

链路： Client->WAF->SLB->ECS

120.24.x.201, 120.27.x.39 100.116.x.204  - - [07/Jan/2018:13:44:56 +0800] "GET / HTTP/1.0" 200 3120.24.x.201, 118.178.x.115 100.116.x.128  - - [07/Jan/2018:13:44:56 +0800] "GET / HTTP/1.1" 200 3120.24.xx.201, 120.27.xx.52 100.116.xx.201  - - [07/Jan/2018:13:44:56 +0800] "GET / HTTP/1.1" 200 3

3.3、 三层转发

链路： Client->高防->WAF->SLB->ECS

120.24.x.201, 116.211.x.12, 120.27.x.33 100.116.x.233  - - [07/Jan/2018:14:24:53 +0800] "GET / HTTP/1.0" 200 3120.24.x.201, 116.211.x.9, 120.27.x.50 100.116.x.217  - - [07/Jan/2018:14:24:53 +0800] "GET / HTTP/1.0" 200 3120.24.x.201, 116.211.x.9, 120.27.x.39 100.116.x.213  - - [07/Jan/2018:14:24:53 +0800] "GET / HTTP/1.0" 200 3

mod_rpaf方法

1、 验证模块

[root@iZbp106qxedZ httpd]# cat conf.modules.d/* | grep mod_rpaf[root@iZbp106q0xbedZ httpd]# apachectl -M | grep mod_rpaf[root@iZbp106xu1hrrgbedZ httpd]#

mod_rpaf没有安装好，需要单独安装

安装过程不在此处描述安装完成后的检查

[root@iZbp106q0xZ httpd]# cat conf.modules.d/* | grep mod_rpafLoadModule              rpaf_module modules/mod_rpaf.so[root@iZbp1xbedZ httpd]# apachectl -M | grep rpaf rpaf_module (shared)

2、 mod_rpaf 配置

文件路径：/etc/httpd/conf.modules.d/01-rpaf.conf01-rpaf.conf该文件为新创建的。

[root@iZbp106q0x conf.modules.d]# cat  01-rpaf.confLoadModule              rpaf_module modules/mod_rpaf.soRPAF_Enable             OnRPAF_ProxyIPs           0.0.0.0RPAF_SetHostName        OnRPAF_SetHTTPS           OnRPAF_SetPort            OnRPAF_ForbidIfNotProxy   Off

3、 修改配置

在主配置文件中加入：%{X-Forwarded-For}i路径：/etc/httpd/conf/httpd.conf配置修改前

    
         #    # The following directives define some format nicknames for use with    # a CustomLog directive (see below).    #    LogFormat "%h  %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined    LogFormat "%h  %l %u %t \"%r\" %>s %b" common    
     
            # You need to enable mod_logio.c to use %I and %O      LogFormat "%h  %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio    
     
    

配置修改后

    
         #    # The following directives define some format nicknames for use with    # a CustomLog directive (see below).    #    LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined    LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b" common    
     
            # You need to enable mod_logio.c to use %I and %O      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio    
         #    # The location and format of the access logfile (Common Logfile Format).    # If you do not define any access logfiles within a 
     
          # container, they will be logged here.  Contrariwise, if you *do*    # define per-
      
        access logfiles, transactions will be    # logged therein and *not* in this file.    #    #CustomLog "logs/access_log" common    #    # If you prefer a logfile with access, agent, and referer information    # (Combined Logfile Format) you can use the following directive.    #    CustomLog "logs/access_log" combined
      
     
    

4、 生效确认

配置前

100.116.x.171 - - [07/Jan/2018:15:46:25 +0800] "GET / HTTP/1.0" 200 3100.116.x.135 - - [07/Jan/2018:15:46:25 +0800] "GET / HTTP/1.1" 200 3100.116.x.225 - - [07/Jan/2018:15:46:25 +0800] "GET / HTTP/1.0" 200 3

4.1、 一层转发

链路： Client->SLB->ECS

120.24.x.201 100.116.x.165 - - [07/Jan/2018:15:44:52 +0800] "GET / HTTP/1.0" 200 3120.24.x.201 100.116.x.138 - - [07/Jan/2018:15:44:52 +0800] "GET / HTTP/1.1" 200 3120.24.x.201 100.116.x.227 - - [07/Jan/2018:15:44:52 +0800] "GET / HTTP/1.0" 200 3

4.2、 二层转发

链路： Client->WAF->SLB->ECS

120.24.x.201, 118.178.x.117 100.116.x.167 - - [07/Jan/2018:15:47:23 +0800] "GET / HTTP/1.0" 200 3120.24.x.201, 118.178.x.115 100.116.x.155 - - [07/Jan/2018:15:47:23 +0800] "GET / HTTP/1.0" 200 3120.24.x.201, 120.27.x.39 100.116.x.142 - - [07/Jan/2018:15:47:23 +0800] "GET / HTTP/1.1" 200 3

4.3、 三层转发

链路： Client->高防->WAF->SLB->ECS

120.24.x.201, 116.211.x.14, 120.27.x.33 100.116.x.221 - - [07/Jan/2018:15:48:05 +0800] "GET / HTTP/1.0" 200 3120.24.x.201, 116.211.x.3, 118.178.x.115 100.116.x.170 - - [07/Jan/2018:15:48:05 +0800] "GET / HTTP/1.0" 200 3120.24.x.201, 116.211.x.18, 120.27.x.52 100.116.x.164 - - [07/Jan/2018:15:48:06 +0800] "GET / HTTP/1.0" 200 3

附录