Am 24.01.2013 21:02, schrieb Stefan Fritsch: > On Wednesday 23 January 2013, Reindl Harald wrote: >> hi >> >> LoadModule remoteip_module "modules/mod_remoteip.so" >> RemoteIPHeader X-Forwarded-For >> RemoteIPInternalProxy 127.0.0.1 10.0.0.4 10.0.0.103 91.118.73.4 >> ________________________ >> >> PHP - fine, exactly how it should do: >> _SERVER["SERVER_ADDR"] 10.0.0.99 >> _SERVER["SERVER_PORT"] 8080 >> _SERVER["REMOTE_ADDR"] 10.0.0.99 >> ________________________ >> >> BUT access-log contains the ip of the apache trafficserver >> this is a major problem for replace mod_rafp with mod_remoteip >> because webalizer-usages are more or less useless >> >> 10.0.0.103 - - [23/Jan/2013:17:01:53 +0100] "GET >> /images/page/tidy_16.gif HTTP/1.1" 304 - >> "http://www.test.rh:8080/"; "Mozilla/5.0 (X11; Linux x86_64; >> rv:18.0) Gecko/20100101 Firefox/18.0" (-%) > > > The problem seems to be ap_get_remote_host() which is used by the %h > used in the default access log format. But resolving an IP address > that came via X-Forwarded-For does not make any sense anyway, because > the server's view of DNS may be different than the proxy's view.
but there is no resolving, the problem is simply
that the proxy is in the internal LAN, 100% trustable
and from the view of the backendserver it must not
appear in any way
even if there is resolving: as long the proxy and the
backend httpd have the same DNS view -> no problem
> If you use %a instead of %h, that should do the right thing. There is
> also a "%{c}a" to get the proxy's IP.
but how to handle if you have a global defined log-format
and you have some hundret vhosts where some depending on
the typical load are pointing directly to the server and
high-traffic sites pointing to the trafficserver?
having the LAN-IP of the proxy anywhere is wrong and makes from
the view of customers usage of apache trafficserver impossible
and having on several places different client-ip's is bad
the trafficserver is a 100% trusted machine
any X-Forwarded-For is trusted
any connection from this machine contains X-Forwarded-For
the machine with trafficserver has only one service
> That's rather confusing. Any opionions if the behavior should be
> changed or if this should be fixed by documentation?
"mod_rpaf" until 2.4 did handle this perfectly
as i played last summer with trafficserver this was the point to
consider it as useable because no impact on logging / security by
have LAN-IP's inside PHP-scripts which may behave different in such
cases and last but not least not touch any vhost-config
* any logfile contained the X-Forwarded-For
* any variable in PHP contained X-Forwarded-For
* mod_security saw the X-Forwarded-For
* X-Forwarded-For only from hard defined addresses, the trusted proxy
* no different configuration for hosts with proxy in front or directly called
signature.asc
Description: OpenPGP digital signature
