肖建彬的博客

作者: 肖建彬 | 可以转载, 转载时务必以超链接形式标明文章原始出处和作者信息及版权声明
网址：http://www.xiaojb.com/archives/it/mod_extract_forwarded.shtml

mod_extract_forwarded 1.4 for apache1 http://web.warhound.org/mod_extract_forwarded/
mod_extract_forwarded for apache2 http://www.openinfo.co.uk/apache/index.html

openinfo.co.hk的主页不能打开，只好搜索了一个srpm。

编译之前要注意的是，如果没有用mod_proxy,要把mod_extract_forwarded.c的#define USING_proxy_http_module 1注释一下。
apxs -ica mod_extract_forwarded.c
模块自动完成安装，我的mod_extract_forwarded的配置是

LoadModule extract_forwarded_module modules/mod_extract_forwarded.so

# MEForder can have either of two value 'refuse,accept' or 'accept,refuse' and
# specifies the order in which the information in two associated directives,
# MEFaccept and MEFrefuse, are intepreted. The MEFaccept and MEFrefuse
# directives are each used to spcifiy one or more IP numbers.

MEForder refuse,accept

# MEFrefuse can be 'all' OR a list of IP numbers and/or domain names of trusted
# proxy servers whose IP number can be derived by DNS from the domain name.
# The presence of 'all' overrides any particular IP numbers and means that no
# proxy servers are to be trusted. Individual IP numbers mean that those proxy
# servers having them are not to be trusted. This defaults to 'all'.

MEFrefuse all

# MEFaccept can be 'all' OR a list of IP numbers and/or domain names of trusted
# proxy servers whose IP number can be derived by DNS from the domain name.
# The presence of 'all' overrides any particular IP numbers and means that all
# proxy servers are to be trusted.
# Individual IP numbers mean that those the proxy servers having them are to be
# trusted. This defaults to an empty list of trusted IP numbers.
# 信任的proxy或者squid的ip
MEFaccept 127.0.0.1

# Normal mode of use is to say:
#
#   MEForder refuse,accept
#   MEFrefuse all
#   MEFaccept 
#
# with the MEForder directive saying apply the MEFrefuse rule first then the
# MEFaccept rule.
# The MEFrefuse rule says do not trust any proxy servers but this is selectively
# overridden for particular IP numbers listed by the MEFaccept directive.

# MEFaddenv can be 'off', 'on' (the default) or a string. 'off' means that when
# spoofing, do not add an environment variable whose value is the IP number of
# the connecting machine. 'on' means that when spoofing, add an environment
# variable called 'MEF_RPROXY_ADDR' whose value is the IP number of the
# connecting machine.
# A string means that when spoofing, add an environment variable named by the
# string supplied whose value is the IP number of the connecting machine.

MEFaddenv on

# MEFdebug can be 'on' or 'off' (the default). When turned 'on' information
# about how the mod_extract_forwarded module is processing every request to your
# Apache 2 server, and any associated internal redirects or subsrequests, is
# written to the server's error_log.
# The amount of output written and the way it is generated is such that you
# would never normally want to turn this feature on.
# This feature is intended for debugging operation of the mod_extract_forwarded
# module and it is unlikely you will want to do that.

MEFdebug off

重启apache，透过squid看phpinfo()的运行结果，REMOTE_ADDR由squid的IP替换为客户端真实IP。

其他参考：
mod_extract_forwarded for lighttpd
squid 反向加速/代理加速模式下 本机apache2的原IP log module - mod_extract_forwarded