Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F2DB5175F4 for ; Thu, 2 Oct 2014 16:38:11 +0000 (UTC) Received: (qmail 54859 invoked by uid 500); 2 Oct 2014 16:38:09 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 54821 invoked by uid 500); 2 Oct 2014 16:38:08 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 54811 invoked by uid 99); 2 Oct 2014 16:38:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Oct 2014 16:38:08 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [206.46.173.23] (HELO vms173023pub.verizon.net) (206.46.173.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Oct 2014 16:37:42 +0000 Received: from Christophers-MacBook-Pro.local ([unknown] [71.178.180.80]) by vms173023.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0NCT00JTMSU7ZEO0@vms173023.mailsrvcs.net> for users@httpd.apache.org; Thu, 02 Oct 2014 11:37:19 -0500 (CDT) Message-id: <542D7F3F.7080401@christopherschultz.net> Date: Thu, 02 Oct 2014 12:37:19 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-version: 1.0 To: users@httpd.apache.org References: <542C4143.6040602@christopherschultz.net> <542C74B9.7080603@oracle.com> <542D571D.9080407@christopherschultz.net> <542D779C.3070201@oracle.com> In-reply-to: <542D779C.3070201@oracle.com> Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mike, On 10/2/14 12:04 PM, Mike Rumph wrote: > Since you are running 2.4.10, you have the latest mod_remoteip > fixes. But I think the problem is in the directives that you are > using: > > RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy 10.0.0.0/8 > > > If you only use the RemoteIPHeader directive, then the default is > to treat all proxies as external trusted proxies. Correct. I'm okay with that for the moment. Uncommenting the second directive didn't change anything. > Having RemoteIPTrustedProxy set for all your proxies would have the > same effect. That's what I'll eventually end up with. > I assume by your 10.0.0.0/8 mask that this matches your proxy > addresses. But 10.0.0.0/8 is a mask for internal IP addresses. So > your proxies will not be accepted as external proxies. And your > true client ip address will not be used. Hmm. Maybe I have things mixed up in my head, then. The AWS ELB will have an address 10.something and so will my actual server running httpd. > Try the following directives instead: > > RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.0.0.0/8 > > Let us know if this works for you. I'll try that. With my above configuration, I got a line in my (your) access log that looks like this: 10.32.219.77 71.178.180.80 10.32.219.77 xf="-" - - [02/Oct/2014:16:33:39 +0000] "GET" "GET /tools/info.php HTTP/1.1&" "&" 200 74249 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0" pid=25180 tid=2846788416 time_ms=10079 The log format for that is: "%h %a %{c}a xf=\"%{X-Forwarded-For}i\" %l %u %t \"%m\" \"%r&\" \"%q&\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" pid=%{pid}P tid=%{tid}P time_ms=%D" I'll change the RemoteIPTrustedProxy to RemoteIPInternalProxy and enable it and see what happens. I think I may have been confused by the fact that the X-Forwarded-For header was being removed... I assumed that meant that mod_remoteip was trusting the IP address and actually using it. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULX8/AAoJEBzwKT+lPKRYodwQALnN6a4eateTmFMUh5pBFFjy IcgaNzLEVy8hbXZbitiSq5Hr1B/lQDDf5IYE80smW2njk9Y5nzFfifJ/c3Bv979b 67rkEg5EznreaKLKGQhGuLlY2jBtoNUGiiuPyBnbPF9ML+6C02Md7VKCxEcGcjLm 9l7yCy1e0QPd4g9wdyuFFfaSt7P83VLw8/D/GqJNlt2AbSD2iusTmZ+zGe8GCA8x q/wFGm+/fGWhrD46oZCYUMUVpcqsSbu/ybaUZqXRmOYWsdH+NT5gK0RxwG+plUuF Qy2kc6Ld0Pka79+lh4wrUhNYXgadw82tis+Q7A+zm2/wsqjyzb224XSdC1Aubcd8 U+ERcUn7ynI1lflOQyMvmIR0f+492Okgu/Teek4HeUz4pFQE6ftJ4Hiffhkhlv4A ld/Uq6u9IDpp/BuEs5I73Z5XtY0Dw4kiA41jihKFoo8ap2FHfRJAHVsMobdwpSS5 xwU3Pd4ETCU8dM0tr6QwT0rsi0ugXIEwzB8U4wKszUEv6TDPhnbuudl6OIIFpfi3 2E6dZGXTIDrzbji3bECF/KKu/BgzFRrnkuyOmUAV2j+lMxPPHzRL9kk5QDTrTa/+ NKcPugDB8MG4DM0+boeMZijQ3rLQxYTdA7nmn1cezJ9bOnkKinlfBCiWOZIuXLSq r64y5KxPAkBGsXXjmOxQ =eLSS -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org