httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB
Date Thu, 02 Oct 2014 18:00:22 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mike,

On 10/2/14 1:18 PM, Mike Rumph wrote:
> It just occurred to me that you might be referring to the first
> field (%h) in your log records.

Precisely.

> This is going to be the remote hostname. So this is showing the IP
> address of your immediate proxy.

That's what I'm observing.

> If you want to see the true original client IP address (as
> calculated by mod_remoteip), you should add the %a field to your
> LogFormat directive. -
> http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

Okay, it looked like that's what I should add. I just wanted some
confirmation that %a was correct even with mod_remoteip. For httpd
2.2, would I just use "%{X-Forwarded-For}i" since mod_remoteip is not
available?

Lol, just found this write-up. I'll be reading the whole thing about
now:
http://knowledgevoid.com/blog/2012/01/13/logging-the-correct-ip-address-using-apache-2-2-x-and-amazons-elastic-load-balancer/

Thanks,
- -chris

> On 10/2/2014 9:04 AM, Mike Rumph wrote:
>> Hello Christopher,
>> 
>> Since you are running 2.4.10, you have the latest mod_remoteip
>> fixes. But I think the problem is in the directives that you are
>> using:
>> 
>> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy 10.0.0.0/8
>> 
>> 
>> If you only use the RemoteIPHeader directive, then the default is
>> to treat all proxies as external trusted proxies. Having
>> RemoteIPTrustedProxy set for all your proxies would have the same
>> effect.
>> 
>> I assume by your 10.0.0.0/8 mask that this matches your proxy
>> addresses. But 10.0.0.0/8 is a mask for internal IP addresses. So
>> your proxies will not be accepted as external proxies. And your
>> true client ip address will not be used.
>> 
>> Try the following directives instead:
>> 
>> RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.0.0.0/8
>> 
>> Let us know if this works for you.
>> 
>> Thanks,
>> 
>> Mike Rumph
>> 
>> On 10/2/2014 6:46 AM, Christopher Schultz wrote:
>>> Mike,
>>> 
>>> On 10/1/14 5:40 PM, Mike Rumph wrote:
>>>> What version of Apache httpd are you running?
>>> Thanks for the reply. We are running 2.4 and 2.2 on various
>>> servers, but I'm starting with this one:
>>> 
>>> Server version: Apache/2.4.10 (Amazon) Server built:   Jul 30
>>> 2014 23:57:28
>>> 
>>> This is the httpd package that Amazon bundles with its Amazon
>>> Linux. If possible, I'd prefer to continue to use their
>>> packages.
>>> 
>>>> There have been some mod_remoteip fixes in recent 2.4.x
>>>> releases.
>>>> 
>>>> You could also try setting up some LogFormat directives as in
>>>> bug 55635 to get more information on this. -
>>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55635#c1
>>> I'll modify my log format and post what I get under various 
>>> circumstances.
>>> 
>>> FWIW, I currently have no "Allow" or "Deny" directives in
>>> effect. I was planing eventually to say "Allow from 10/8" or
>>> something equivalent to only allow connections to this virtual
>>> host from the load-balancer. If that's not going to work, it's
>>> easily done at the OS or firewall level.
>>> 
>>> Thanks, -chris
>>> 
>>>> On 10/1/2014 11:00 AM, Christopher Schultz wrote:
>>>>> All,
>>>>> 
>>>>> I'm trying to get httpd working behind an AWS ELB but still
>>>>> using the remote client's information whenever possible.
>>>>> 
>>>>> ELB provides the X-Forwarded-For, X-Forwarded-Port, and 
>>>>> X-Forwarded-Proto HTTP headers. My configuration looks like
>>>>> this:
>>>>> 
>>>>> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy
>>>>> 10.0.0.0/8
>>>>> 
>>>>> (I commented-out the RemoteIPTrustedProxy line to see if
>>>>> that was the problem, and it does not appear to have
>>>>> changed the behavior).
>>>>> 
>>>>> My true client IP address is 71.178.xxx.yyy and I'm making
>>>>> a request through the load balancer. I'm using PHP's
>>>>> "phpinfo()" to dump everything about the request. I can see
>>>>> that the X-Forwarded-For header has been /removed/ from the
>>>>> request (which mod_remoteip says will happen), but I'm
>>>>> still getting the ELB's IP address in my access logs:
>>>>> 
>>>>> 10.32.xxx.yyy - - [01/Oct/2014:17:59:27 +0000] "GET
>>>>> /info.php HTTP/1.1" 200 72810 "-" "Mozilla/5.0 (Macintosh;
>>>>> Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
>>>>> 
>>>>> I have definitely restarted httpd and mod_remoteip is
>>>>> definitely enabled (no errors on start, X-Forwarded-For
>>>>> header is being removed from the headers).
>>>>> 
>>>>> Am I missing something in my configuration?
>>>>> 
>>>>> Thanks, -chris
>>>>> 
>>>> 
>>>> ---------------------------------------------------------------------
>>>>
>>>> 
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>> 
>> 
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULZK2AAoJEBzwKT+lPKRY4V8QAJScEiwrBe/JfU161m6V1GMD
Eq3nojSza6cY7tZlaW8Lxt49mQ8HbcpgjFnsHckFy0PcztaZuKZ4OeCoQDYW1PLv
Q54WTnby6l9EdZPtgJIw7mO0QXQOZ0ELTpgb1KQJAzRSdVECZ8mb+wh0gZoHlDJZ
VnUmNxVJ2DoWLDe1VoEVTw6VZ3OWyHa4J5+Je2bm9cWBsf7mHHZikn7C+ZEz6p1o
sAKnwWyYug9kJR2YbRBbdWFPFX145jJCeG/wXe4ZQRcPFYrAGZ8X7xlNjQh5y3+E
shHjgBVS8V+btu6GEbvWKtv5o+MroKOPTzZ5h/UtSHv0MA35jSJjTvB1pA1L5Efn
f/bQIKrQTBJD3bfSvchf0pFKklgqGKMRmcmB6E7P32AfLOEuVQXisJxNKSilj/KK
bXxdHDoDhiZ1a2vrFKpudxPJdcE40MP49JJgPbRHruWzfoinK7yb5bdORQ14r+H2
C8d0FySjBDqCvnVTFc+ay9XfJ5ORJFSqWS6hbzVY+hvRM3vKfiwBsV8gAlOWkNC5
byK4eEnHv3tp1+LMoPxs6Ln5W3FXM0IjAXHp09niZhO7Y3lNHslqBHxtmASkAR02
/zDLi9Q1Jf6qm9qXk4ZuIU6iUStuEbhLSjbzcfXW84FGocLJxXGKm6mavvC1Y5aV
zBrad1+oWeA7AP4vX4CH
=mvRE
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message