我的服务器位于反向代理nginx后面,但是客户端访问的ip在apache日志中显示如下,看起来正常,日志中没有x-forward的东西。
103.221.234.206 - - [28/Feb/2024:14:37:29 +0800] "GET /styles/pke/?mejiku=zeus138 HTTP/1.1" 404 3888 "https://x.y.z.a/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Vivaldi/5.3.2679.68"
65.109.34.52 - - [28/Feb/2024:14:37:29 +0800] "GET /index.php/index/user/register HTTP/1.1" 200 9568 "https://x.y.z.a/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/22.7.0 Yowser/2.5 Safari/537.36"
103.221.234.206 - - [28/Feb/2024:14:37:31 +0800] "GET / HTTP/1.1" 200 8561 "https://x.y.z.a" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Vivaldi/5.3.2679.68"
194.32.229.95 - - [28/Feb/2024:14:37:32 +0800] "GET /index.php/index/user/register HTTP/1.1" 200 9487 "https://x.y.z.a/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/22.7.0 Yowser/2.5 Safari/537.36"
接下来..配置fail2ban很好,但是iptables无法阻止ip来自公共ip。我的 iptables 如下所示。仅当禁止本地 ip 时才有效。
Chain INPUT (policy DROP 22909 packets, 8800K bytes)
pkts bytes target prot opt in out source destination
691K 72M f2b-apache-noscript tcp -- any any anywhere anywhere multiport dports http,https
690K 85M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
76 4560 ACCEPT all -- lo any anywhere anywhere
1 60 ACCEPT icmp -- any any anywhere anywhere
1 64 ACCEPT tcp -- any any 10.0.0.0/8 anywhere tcp dpt:ssh
807 42768 ACCEPT tcp -- any any 10.0.0.0/8 anywhere tcp dpt:webmin
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
34019 2040K ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 720K packets, 2306M bytes)
pkts bytes target prot opt in out source destination
Chain f2b-apache-noscript (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any 77.111.244.49 anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any 103.151.140.101 anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any 20.125.101.243 anywhere reject-with icmp-port-unreachable
我的 iptables 无法捕获来自该特定 ip 的流量。
我应该怎么做才能使我的fail2ban工作而不改变我的服务器位于反向代理后面的网络拓扑。