httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Rumph <mike.ru...@oracle.com>
Subject Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB
Date Thu, 02 Oct 2014 16:04:44 GMT
Hello Christopher,

Since you are running 2.4.10, you have the latest mod_remoteip fixes.
But I think the problem is in the directives that you are using:

      RemoteIPHeader X-Forwarded-For
      #RemoteIPTrustedProxy 10.0.0.0/8


If you only use the RemoteIPHeader directive, then the default is to 
treat all proxies as external trusted proxies.
Having RemoteIPTrustedProxy set for all your proxies would have the same 
effect.

I assume by your 10.0.0.0/8 mask that this matches your proxy addresses.
But 10.0.0.0/8 is a mask for internal IP addresses.
So your proxies will not be accepted as external proxies.
And your true client ip address will not be used.

Try the following directives instead:

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.0.0.0/8

Let us know if this works for you.

Thanks,

Mike Rumph

On 10/2/2014 6:46 AM, Christopher Schultz wrote:
> Mike,
>
> On 10/1/14 5:40 PM, Mike Rumph wrote:
>> What version of Apache httpd are you running?
> Thanks for the reply. We are running 2.4 and 2.2 on various servers, but
> I'm starting with this one:
>
> Server version: Apache/2.4.10 (Amazon)
> Server built:   Jul 30 2014 23:57:28
>
> This is the httpd package that Amazon bundles with its Amazon Linux. If
> possible, I'd prefer to continue to use their packages.
>
>> There have been some mod_remoteip fixes in recent 2.4.x releases.
>>
>> You could also try setting up some LogFormat directives as in bug 55635
>> to get more information on this.
>> - https://issues.apache.org/bugzilla/show_bug.cgi?id=55635#c1
> I'll modify my log format and post what I get under various circumstances.
>
> FWIW, I currently have no "Allow" or "Deny" directives in effect. I was
> planing eventually to say "Allow from 10/8" or something equivalent to
> only allow connections to this virtual host from the load-balancer. If
> that's not going to work, it's easily done at the OS or firewall level.
>
> Thanks,
> -chris
>
>> On 10/1/2014 11:00 AM, Christopher Schultz wrote:
>>> All,
>>>
>>> I'm trying to get httpd working behind an AWS ELB but still using the
>>> remote client's information whenever possible.
>>>
>>> ELB provides the X-Forwarded-For, X-Forwarded-Port, and
>>> X-Forwarded-Proto HTTP headers. My configuration looks like this:
>>>
>>>       RemoteIPHeader X-Forwarded-For
>>>       #RemoteIPTrustedProxy 10.0.0.0/8
>>>
>>> (I commented-out the RemoteIPTrustedProxy line to see if that was the
>>> problem, and it does not appear to have changed the behavior).
>>>
>>> My true client IP address is 71.178.xxx.yyy and I'm making a request
>>> through the load balancer. I'm using PHP's "phpinfo()" to dump
>>> everything about the request. I can see that the X-Forwarded-For header
>>> has been /removed/ from the request (which mod_remoteip says will
>>> happen), but I'm still getting the ELB's IP address in my access logs:
>>>
>>> 10.32.xxx.yyy - - [01/Oct/2014:17:59:27 +0000] "GET /info.php HTTP/1.1"
>>> 200 72810 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
>>> Gecko/20100101 Firefox/32.0"
>>>
>>> I have definitely restarted httpd and mod_remoteip is definitely enabled
>>> (no errors on start, X-Forwarded-For header is being removed from the
>>> headers).
>>>
>>> Am I missing something in my configuration?
>>>
>>> Thanks,
>>> -chris
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message