httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB
Date Thu, 02 Oct 2014 16:55:51 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mike,

On 10/2/14 12:37 PM, Christopher Schultz wrote:
> With my above configuration, I got a line in my (your) access log
> that looks like this:
> 
> 10.32.219.77 71.178.180.80 10.32.219.77 xf="-" - - 
> [02/Oct/2014:16:33:39 +0000] "GET" "GET /tools/info.php HTTP/1.1&"
> "&" 200 74249 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
> rv:32.0) Gecko/20100101 Firefox/32.0" pid=25180 tid=2846788416
> time_ms=10079
> 
> The log format for that is: "%h %a %{c}a xf=\"%{X-Forwarded-For}i\"
> %l %u %t \"%m\" \"%r&\" \"%q&\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\" pid=%{pid}P tid=%{tid}P time_ms=%D"
> 
> I'll change the RemoteIPTrustedProxy to RemoteIPInternalProxy and 
> enable it and see what happens.

With this configuration:

  RemoteIPHeader X-Forwarded-Form
  RemoteIPInternalProxy 10.0.0.0/8

I get this access log:

10.64.51.235 71.178.180.80 10.64.51.235 xf="-" - -
[02/Oct/2014:16:38:51 +0000] "GET" "GET /tools/info.php HTTP/1.1&" "&"
200 74692 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0" pid=25339 tid=3014642496 time_ms=14507

In both cases, logging a standard %h for remote IP gives me the
address of the load-balancer. Is that to be expected?

I'm hooking this up to Apache Tomcat on the back-end, and it seems
that Tomcat thinks the "REMOTE_ADDR" for the client is my actual IP
address and not that of the lb/proxy.

Am I just not using the right access log format when under a proxied
configuration?

For Apache 2.2, it looks like mod_remoteip is not an option. I was
considering using a configuration similar to this to get the same effect:

    SetEnvIf X-Forwarded-Proto "https" HTTPS=On
    SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
    SetEnvIf X-Forwarded-Port "(.*)" SERVER_PORT=$1

Is that an appropriate comparable configuration? I'd probably have to
replace "%h" with "%{X-Forwarded-For}i" in the combined log format.
Should I be doing that even when mod_remoteip is in use as well?

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULYOXAAoJEBzwKT+lPKRYC2wP/2Jm9mn/jGdxjarEDkp2EU+E
UIGUSLMHA3JDn3wY1DklXSfQMowpLFIwEgaeqiT+pXu+Y/VByBXKRRF9AT6Dps6m
XHIxbS2WU/3q1/DSt+C0JXSIZ7DtRAOm04SMSVscKKdOW44SXQ5U8e2K+ivfEBGy
1xycVLEy8Hb0oAKiOkY+Xe5U6++So5fzshDVo/6x68xaGZQTyy6hiFbPIRGU42nK
xIbEaQJY12Oc09J5JN3y7tetejMVjWrOJ47cnmubBK5EwkwK45ekFKzc1uKHKhzC
ZIq8ebmstTfGwpRQdc1LPDe3dyPElanEJu3VMuxWvEo9iSjBwd0JHmTIb26XNeco
nlo5VasGVlaNZOjgCDb8bVykGtxgw6308zMH+5zsycGLN6H0g50UMUhcqM3RcjYf
IG9PquMEx2uLc068wsj92/K7XSNj5nLLRNdDC+I8i1GTJbuyIBWrXsic9AYGDow6
/8krLuBdkMcSAep6FiQdelcLzjU39Ve0hQDzsa/kbpyGf5YoMG4hzOw/ZXRrmIwF
SHgg2lbhP4cyNg9AOANftCxSZFUsKafLdlOsUHtk0oJOi5AQvUr9CkELiyU/lksv
nb9gs/uwXrUvv6+b/uJ023W1WOz87p5r6u7Woy0EjdqtiVPCI5ZYODl9OUgvdADa
epLeLUo2wujvmwHKi+Db
=mysF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message