Am 24.01.2013 21:02, schrieb Stefan Fritsch: > On Wednesday 23 January 2013, Reindl Harald wrote: >> hi >> >> LoadModule remoteip_module "modules/mod_remoteip.so" >> RemoteIPHeader X-Forwarded-For >> RemoteIPInternalProxy 127.0.0.1 10.0.0.4 10.0.0.103 91.118.73.4 >> ________________________ >> >> PHP - fine, exactly how it should do: >> _SERVER["SERVER_ADDR"] 10.0.0.99 >> _SERVER["SERVER_PORT"] 8080 >> _SERVER["REMOTE_ADDR"] 10.0.0.99 >> ________________________ >> >> BUT access-log contains the ip of the apache trafficserver >> this is a major problem for replace mod_rafp with mod_remoteip >> because webalizer-usages are more or less useless >> >> 10.0.0.103 - - [23/Jan/2013:17:01:53 +0100] "GET >> /images/page/tidy_16.gif HTTP/1.1" 304 - >> "http://www.test.rh:8080/" "Mozilla/5.0 (X11; Linux x86_64; >> rv:18.0) Gecko/20100101 Firefox/18.0" (-%) > > > The problem seems to be ap_get_remote_host() which is used by the %h > used in the default access log format. But resolving an IP address > that came via X-Forwarded-For does not make any sense anyway, because > the server's view of DNS may be different than the proxy's view.
but there is no resolving, the problem is simply that the proxy is in the internal LAN, 100% trustable and from the view of the backendserver it must not appear in any way even if there is resolving: as long the proxy and the backend httpd have the same DNS view -> no problem > If you use %a instead of %h, that should do the right thing. There is > also a "%{c}a" to get the proxy's IP. but how to handle if you have a global defined log-format and you have some hundret vhosts where some depending on the typical load are pointing directly to the server and high-traffic sites pointing to the trafficserver? having the LAN-IP of the proxy anywhere is wrong and makes from the view of customers usage of apache trafficserver impossible and having on several places different client-ip's is bad the trafficserver is a 100% trusted machine any X-Forwarded-For is trusted any connection from this machine contains X-Forwarded-For the machine with trafficserver has only one service > That's rather confusing. Any opionions if the behavior should be > changed or if this should be fixed by documentation? "mod_rpaf" until 2.4 did handle this perfectly as i played last summer with trafficserver this was the point to consider it as useable because no impact on logging / security by have LAN-IP's inside PHP-scripts which may behave different in such cases and last but not least not touch any vhost-config * any logfile contained the X-Forwarded-For * any variable in PHP contained X-Forwarded-For * mod_security saw the X-Forwarded-For * X-Forwarded-For only from hard defined addresses, the trusted proxy * no different configuration for hosts with proxy in front or directly called
signature.asc
Description: OpenPGP digital signature