httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: mod_remoteip does NOT change access-log IP
Date Thu, 24 Jan 2013 20:43:47 GMT


Am 24.01.2013 21:02, schrieb Stefan Fritsch:
> On Wednesday 23 January 2013, Reindl Harald wrote:
>> hi
>>
>> LoadModule            remoteip_module "modules/mod_remoteip.so"
>> RemoteIPHeader        X-Forwarded-For
>> RemoteIPInternalProxy 127.0.0.1 10.0.0.4 10.0.0.103 91.118.73.4
>> ________________________
>>
>> PHP - fine, exactly how it should do:
>> _SERVER["SERVER_ADDR"]	10.0.0.99
>> _SERVER["SERVER_PORT"]	8080
>> _SERVER["REMOTE_ADDR"]	10.0.0.99
>> ________________________
>>
>> BUT access-log contains the ip of the apache trafficserver
>> this is a major problem for replace mod_rafp with mod_remoteip
>> because webalizer-usages are more or less useless
>>
>> 10.0.0.103 - - [23/Jan/2013:17:01:53 +0100] "GET
>> /images/page/tidy_16.gif HTTP/1.1" 304 -
>> "http://www.test.rh:8080/" "Mozilla/5.0 (X11; Linux x86_64;
>> rv:18.0) Gecko/20100101 Firefox/18.0" (-%)
> 
> 
> The problem seems to be ap_get_remote_host() which is used by the %h 
> used in the default access log format. But resolving an IP address 
> that came via X-Forwarded-For does not make any sense anyway, because 
> the server's view of DNS may be different than the proxy's view.

but there is no resolving, the problem is simply
that the proxy is in the internal LAN, 100% trustable
and from the view of the backendserver it must not
appear in any way

even if there is resolving: as long the proxy and the
backend httpd have the same DNS view -> no problem

> If you use %a instead of %h, that should do the right thing. There is 
> also a "%{c}a" to get the proxy's IP.

but how to handle if you have a global defined log-format
and you have some hundret vhosts where some depending on
the typical load are pointing directly to the server and
high-traffic sites pointing to the trafficserver?

having the LAN-IP of the proxy anywhere is wrong and makes from
the view of customers usage of apache trafficserver impossible
and having on several places different client-ip's is bad

the trafficserver is a 100% trusted machine
any X-Forwarded-For is trusted
any connection from this machine contains X-Forwarded-For
the machine with trafficserver has only one service

> That's rather confusing. Any opionions if the behavior should be 
> changed or if this should be fixed by documentation?

"mod_rpaf" until 2.4 did handle this perfectly

as i played last summer with trafficserver this was the point to
consider it as useable because no impact on logging / security by
have LAN-IP's inside PHP-scripts which may behave different in such
cases and last but not least not touch any vhost-config

* any logfile contained the X-Forwarded-For
* any variable in PHP contained X-Forwarded-For
* mod_security saw the X-Forwarded-For
* X-Forwarded-For only from hard defined addresses, the trusted proxy
* no different configuration for hosts with proxy in front or directly called





Mime
View raw message