httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB
Date Thu, 02 Oct 2014 16:37:19 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mike,

On 10/2/14 12:04 PM, Mike Rumph wrote:
> Since you are running 2.4.10, you have the latest mod_remoteip
> fixes. But I think the problem is in the directives that you are
> using:
> 
> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy 10.0.0.0/8
> 
> 
> If you only use the RemoteIPHeader directive, then the default is
> to treat all proxies as external trusted proxies.

Correct. I'm okay with that for the moment. Uncommenting the second
directive didn't change anything.

> Having RemoteIPTrustedProxy set for all your proxies would have the
> same effect.

That's what I'll eventually end up with.

> I assume by your 10.0.0.0/8 mask that this matches your proxy
> addresses. But 10.0.0.0/8 is a mask for internal IP addresses. So
> your proxies will not be accepted as external proxies. And your
> true client ip address will not be used.

Hmm. Maybe I have things mixed up in my head, then.

The AWS ELB will have an address 10.something and so will my actual
server running httpd.

> Try the following directives instead:
> 
> RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.0.0.0/8
> 
> Let us know if this works for you.

I'll try that. With my above configuration, I got a line in my (your)
access log that looks like this:

10.32.219.77 71.178.180.80 10.32.219.77 xf="-" - -
[02/Oct/2014:16:33:39 +0000] "GET" "GET /tools/info.php HTTP/1.1&" "&"
200 74249 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0" pid=25180 tid=2846788416 time_ms=10079

The log format for that is:
"%h %a %{c}a xf=\"%{X-Forwarded-For}i\" %l %u %t \"%m\" \"%r&\"
\"%q&\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" pid=%{pid}P
tid=%{tid}P time_ms=%D"

I'll change the RemoteIPTrustedProxy to RemoteIPInternalProxy and
enable it and see what happens.

I think I may have been confused by the fact that the X-Forwarded-For
header was being removed... I assumed that meant that mod_remoteip was
trusting the IP address and actually using it.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULX8/AAoJEBzwKT+lPKRYodwQALnN6a4eateTmFMUh5pBFFjy
IcgaNzLEVy8hbXZbitiSq5Hr1B/lQDDf5IYE80smW2njk9Y5nzFfifJ/c3Bv979b
67rkEg5EznreaKLKGQhGuLlY2jBtoNUGiiuPyBnbPF9ML+6C02Md7VKCxEcGcjLm
9l7yCy1e0QPd4g9wdyuFFfaSt7P83VLw8/D/GqJNlt2AbSD2iusTmZ+zGe8GCA8x
q/wFGm+/fGWhrD46oZCYUMUVpcqsSbu/ybaUZqXRmOYWsdH+NT5gK0RxwG+plUuF
Qy2kc6Ld0Pka79+lh4wrUhNYXgadw82tis+Q7A+zm2/wsqjyzb224XSdC1Aubcd8
U+ERcUn7ynI1lflOQyMvmIR0f+492Okgu/Teek4HeUz4pFQE6ftJ4Hiffhkhlv4A
ld/Uq6u9IDpp/BuEs5I73Z5XtY0Dw4kiA41jihKFoo8ap2FHfRJAHVsMobdwpSS5
xwU3Pd4ETCU8dM0tr6QwT0rsi0ugXIEwzB8U4wKszUEv6TDPhnbuudl6OIIFpfi3
2E6dZGXTIDrzbji3bECF/KKu/BgzFRrnkuyOmUAV2j+lMxPPHzRL9kk5QDTrTa/+
NKcPugDB8MG4DM0+boeMZijQ3rLQxYTdA7nmn1cezJ9bOnkKinlfBCiWOZIuXLSq
r64y5KxPAkBGsXXjmOxQ
=eLSS
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message