httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: mod_remoteip does NOT change access-log IP
Date Thu, 24 Jan 2013 23:34:50 GMT
On 24 Jan 2013, at 20:02, Stefan Fritsch <sf@sfritsch.de> wrote:

> The problem seems to be ap_get_remote_host() which is used by the %h 
> used in the default access log format. But resolving an IP address 
> that came via X-Forwarded-For does not make any sense anyway, because 
> the server's view of DNS may be different than the proxy's view.
> 
> If you use %a instead of %h, that should do the right thing. There is 
> also a "%{c}a" to get the proxy's IP.
> 
> That's rather confusing. Any opionions if the behavior should be 
> changed or if this should be fixed by documentation?

As soon as you enable mod_remoteip, you are in the world of proxies and load balancers, and
by definition you have at least two ip addresses, the address of the load balancer, and the
address of the host beyond the load balancer.

It is up to the administrator to decide which IP address they want to log, the load balancer
IP, or the IP of the host beyond.

We currently offer that option based on the principal of least surprise, to log the downstream
host IP address, as it is the address that the AAA subsystem probably cares about the most.

It is also up to third party module authors to properly handle the two IPs, and offer the
end user sensible behaviour. Load balancers are a first class concept properly recognized
by httpd in 2.4, and is no longer the "request hacks the parent connection" that was going
on before.

Regards,
Graham
--


Mime
View raw message