Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B55BB7CF7 for ; Mon, 21 Nov 2011 18:04:40 +0000 (UTC) Received: (qmail 16633 invoked by uid 500); 21 Nov 2011 18:04:39 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 16523 invoked by uid 500); 21 Nov 2011 18:04:39 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 16515 invoked by uid 99); 21 Nov 2011 18:04:39 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Nov 2011 18:04:39 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [188.40.99.202] (HELO eru.sfritsch.de) (188.40.99.202) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Nov 2011 18:04:33 +0000 Received: from [10.1.1.6] (helo=k.localnet) by eru.sfritsch.de with esmtp (Exim 4.72) (envelope-from ) id 1RSYDz-00020F-SG for dev@httpd.apache.org; Mon, 21 Nov 2011 19:04:12 +0100 From: Stefan Fritsch To: dev@httpd.apache.org Subject: Re: Effective IP address / real IP address Date: Mon, 21 Nov 2011 19:04:10 +0100 User-Agent: KMail/1.13.7 (Linux/3.1.0-1-amd64; KDE/4.6.5; x86_64; ; ) References: <1082AC01-C7E8-493A-9FD1-FFF8BD10EE13@sharp.fm> <6BCD7365-4E4F-472A-9CDE-2458477CCFAE@sharp.fm> In-Reply-To: <6BCD7365-4E4F-472A-9CDE-2458477CCFAE@sharp.fm> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <201111211904.11389.sf@sfritsch.de> On Sunday 20 November 2011, Graham Leggett wrote: > On 20 Nov 2011, at 1:37 AM, Jeff Trawick wrote: > > On Sat, Nov 19, 2011 at 2:46 PM, Stefan Fritsch > > > > wrote: > >> On Saturday 19 November 2011, Graham Leggett wrote: > >>>> The correction is simple; promote the remote_ip up to the > >>>> request rec and log/use for authentication that r->remote_ip > >>>> throughout httpd. Introduce a wire client logging tag for > >>>> c->remote_ip. > >>> > >>> This is a lot simpler and cleaner I think, let me come up with > >>> an alternative patch. > >> > >> I also think this is preferable. The hook approach adds unneeded > >> complexity and users of mod_remoteip would also need to change > >> their log formats. > > > > Yeah, only needing to add a special .conf for LB configurations > > would be nice (i.e., not touching/reconfiguring anything else) > > This is the alternative I've come up with, again needing docs and > in- principle. A logging option has been attached to log the raw > IP address. Separately, I've attached a patch for mod_remoteip. > Thoughts? Looks reasonable. Some comments: The error log handler log_remote_address for %a needs to fall back to c->remote_ip if r is not specified. Otherwise one would need different logformats for per-conn and per-request log messages. Also, I would prefer %{r}a and %{c}a to force logging of r->remote_ip and c- >remote_ip. Then we don't need a new format letter and it would be more consistent with the %L and %{c}L errorlog format. We may also want a CONN_REMOTE_ADDR or PHYS_REMOTE_ADDR variable in ap_expr to still allow access to c->remote_addr. Do we need special handling of the REMOTE_HOST script variable? Probably it does not make sense because we can't reliably do DNS lookups for addresses received via X-Forwarded-For. I think there may be some confusion of addresses if mod_remoteip is used for CONNECT requests. But I am OK with ignoring that complication. It should always be possible to use the connection log ids to correlate the different messages. IMHO, commit to trunk and we can fix the remaining issues there.