CentOS 7.x でも mod_extract_forwarded を使ってリバースプロキシ経由のアクセス元IPを書き換えたい

yum install httpd-devel -y git clone https://github.com/matsumoto-r/mod_extract_forwarded_for_2.4.git cd mod_extract_forwarded_for_2.4 apxs -c -i mod_extract_forwarded.c

cat << 'EOS' > /etc/httpd/conf.modules.d/01-extract_forwarded.conf LoadModule extract_forwarded_module modules/mod_extract_forwarded.so # MEForder can have either of two value 'refuse,accept' or 'accept,refuse' and # specifies the order in which the information in two associated directives, # MEFaccept and MEFrefuse, are intepreted. The MEFaccept and MEFrefuse # directives are each used to spcifiy one or more IP numbers. MEForder refuse,accept # MEFrefuse can be 'all' OR a list of IP numbers and/or domain names of trusted # proxy servers whose IP number can be derived by DNS from the domain name. # The presence of 'all' overrides any particular IP numbers and means that no # proxy servers are to be trusted. Individual IP numbers mean that those proxy # servers having them are not to be trusted. This defaults to 'all'. MEFrefuse all # MEFaccept can be 'all' OR a list of IP numbers and/or domain names of trusted # proxy servers whose IP number can be derived by DNS from the domain name. # The presence of 'all' overrides any particular IP numbers and means that all # proxy servers are to be trusted. # Individual IP numbers mean that those the proxy servers having them are to be # trusted. This defaults to an empty list of trusted IP numbers. MEFaccept 192.168.###.### # Normal mode of use is to say: # # MEForder refuse,accept # MEFrefuse all # MEFaccept <space separated list of your trusted proxy servers' IP numbers> # # with the MEForder directive saying apply the MEFrefuse rule first then the # MEFaccept rule. # The MEFrefuse rule says do not trust any proxy servers but this is selectively # overridden for particular IP numbers listed by the MEFaccept directive. # MEFaddenv can be 'off', 'on' (the default) or a string. 'off' means that when # spoofing, do not add an environment variable whose value is the IP number of # the connecting machine. 'on' means that when spoofing, add an environment # variable called 'MEF_RPROXY_ADDR' whose value is the IP number of the # connecting machine. # A string means that when spoofing, add an environment variable named by the # string supplied whose value is the IP number of the connecting machine. MEFaddenv on # MEFdebug can be 'on' or 'off' (the default). When turned 'on' information # about how the mod_extract_forwarded module is processing every request to your # Apache 2 server, and any associated internal redirects or subsrequests, is # written to the server's error_log. # The amount of output written and the way it is generated is such that you # would never normally want to turn this feature on. # This feature is intended for debugging operation of the mod_extract_forwarded # module and it is unlikely you will want to do that. MEFdebug off EOS

systemctl restart httpd systemctl status httpd