多级代理(Squid)环境下用户真实IP的获取
问题:
简单一句话就是,X-Forwarded-For: 有多个IP时该用哪个?
(本文不讨论 apache 获取用户真实IP的问题 如果需要请参阅:
squid 反向加速/代理加速模式下 本机apache2的原IP log module - mod_extract_forwarded
http://windtear.net/archives/2004/12/09/000440.html
squid 反向加速模式下 本机apache的原IP log module - mod_extract_forwarded
http://windtear.net/archives/2004/10/31/000293.html
)
答案:
取X-Forwarded-For中第一个非unknown的有效IP字符串
讨论:
squid.conf 默认
forwarded_for on
如果 forwarded_for 设成了 off 则会
X-Forwarded-For: unknown
如果有 unknown 自己去掉就行了
举例:
X-Forwarded-For: 192.168.1.11, 192.168.1.12, 192.168.1.13, 192.168.1.10
用户真实IP为 192.168.1.11
模拟:
# telnet 192.168.1.10 80
Trying 192.168.1.10...
Connected to windteartest (192.168.1.10).
Escape character is '^]'.
GET / HTTP/1.1
HOST: test.com
X-Forwarded-For: 192.168.1.11, 192.168.1.12, 192.168.1.13
Server 端cache.log可以看到:(环境设置此处略,故意设了死循环便于查看)
2006/04/27 19:36:21| WARNING: Forwarding loop detected for:
Client: 192.168.1.10 http_port: 192.168.1.10:80
GET http://test.com/ HTTP/1.0
Host: test.com
Via: 1.1 squid10.test.com:80 (squid/2.5.STABLE13)
X-Forwarded-For: 192.168.1.11, 192.168.1.12, 192.168.1.13, 192.168.1.10
Cache-Control: max-age=600