Am 25.01.2013 00:34, schrieb Graham Leggett:
> On 24 Jan 2013, at 20:02, Stefan Fritsch <s...@sfritsch.de> wrote:
>
>> The problem seems to be ap_get_remote_host() which is used by the %h
>> used in the default access log format. But resolving an IP address
>> that came via X-Forwarded-For does not make any sense anyway, because
>> the server's view of DNS may be different than the proxy's view.
>>
>> If you use %a instead of %h, that should do the right thing. There is
>> also a "%{c}a" to get the proxy's IP.
>>
>> That's rather confusing. Any opionions if the behavior should be
>> changed or if this should be fixed by documentation?
>
> As soon as you enable mod_remoteip, you are in the world of proxies and load
> balancers, and by definition you have at least two ip addresses, the address
> of the load balancer, and the address of the host beyond the load balancer.
>
> It is up to the administrator to decide which IP address they want to log,
> the load balancer IP, or the IP of the host beyond.
>
> We currently offer that option based on the principal of least surprise, to
> log the downstream host IP address, as it is the address that the AAA
> subsystem probably cares about the most.
>
> It is also up to third party module authors to properly handle the two IPs,
> and offer the end user sensible behaviour. Load balancers are a first class
> concept properly recognized by httpd in 2.4, and is no longer the "request
> hacks the parent connection" that was going on before.
but that does not change the fact that %h without HostnameLookups should
log the same ip-address and with HostnameLookups resolve this as
$_SERVER['REMOTE_ADDR'] from a php-script sees for the principal of least
surprise to make mod_remoteip really transparent in conext of a proxy in
front
"%{c}a" is new and special in context of mod_remoteip
%h exists all the time
%a exists all the time
so normally you would not except that they behave different in the
context of a clear usage of mod_remoteip
i will give %a a try instead %h as soon as i am near my test-network
again, thankfully "%a Client IP address and port of the request" does
not contain the port if it is 80 as it seems and so would not change
the logformat which could confuse webalizer due switch to httpd 2.4
i will give feedback ASAP here
thank you for your responses!
signature.asc
Description: OpenPGP digital signature
