-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mike,
On 10/2/14 2:27 PM, Mike Rumph wrote:
> On 10/2/2014 11:07 AM, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> Mike,
>>
>> Okay, using %a works when using mod_remoteip. AWS Linux uses %h
>> by default for its httpd.conf definition of "combined" log
>> format, so I've changed that and I'm getting the logging I
>> desire.
>>
>> I'll try to replicate the behavior in httpd 2.2 without
>> mod_remoteip we well.
>>
>> Thanks, - -chris
>>
> Hello Christopher,
>
> It looks like my replies got a little out of sync with yours.
>
> In Apache httpd 2.4 with mod_remoteip enabled and correctly
> configured, the %a field will contain the true original client IP
> address. Otherwise, the %a field will contain the IP address of
> the most immediate remote host.
That's what I'm seeing. Thanks! (The last piece was changing %h -> %a
in my log formats. I can't seem to find any ErrorLogFormat defined in
my configuration, and there is no documentation for the "default"
format so I can't really verify that I have an acceptable
ErrorLogFormat. I'm having trouble getting an error bad enough to log
:) In httpd 2.2, a 404 counted as an error and so it's easy to test to
see what IP address gets logged.
> For 2.2, the contents of the X-* headers is probably the only way
> to get the true client IP address. From I can tell, in your
> configuration there is only one proxy between the client and the
> destination server, so your X-Forwarded-For headers would probably
> only contain a single value. But one thing to keep in mind is that
> the X-Forwarded-For header could contain a list of IP addresses.
Yup. I have done the best I think I can for httpd 2.2, like this:
# Handle ELB requests; maintain client information
SetEnvIf X-Forwarded-Proto "https" HTTPS=On
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1 JK_REMOTE_ADDR=$1
SetEnvIf X-Forwarded-Port "(.*)" JK_LOCAL_PORT=$1
# Only allow requests directly from the load-balancer
<Location "/">
Order deny,allow
Deny from all
Allow from 10.0.0.0/8
</Location>
# The following line has been split over multiple lines.
# httpd doesn't support this; it's for email readability only
SetEnvIf X-Forwarded-For \
"^.*?(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)" \
XFFCLIENTIP=$1
LogFormat "... %{XFFCLIENTIP}e ..." format-name
CustomLog access_log format-name
This will right me the right-most IP address from X-Forwarded-For
which, in my case, ought to be the client's actual IP address or some
outside proxy. I haven't yet played-around with setting that header
from my client to see what happens at the ELB stage. I suspect they
will adhere to the spec and /add/ the client's IP to whatever was
there. If they don't, it's okay with me: I'll end up observing the
same IP address I would have in the past because I've been ignoring
any X-Forwarded-For headers thus far.
Thanks for the help,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJULcF8AAoJEBzwKT+lPKRYrh4QAMLfxMp+u/zTItzbvsqdRZIg
R+yk7gcFxZK5aK6hFZaO4OdFOGmKh9epCAZQnn8rDABtg9DoXBuHDQj5VdCAhsFt
Kps7t0DjAK9Vyqjb/QtsLMR9K1qLqVHyRrgrLmzmLoiWaBpPZMCzqscp7T5ihlTS
9qVRKghioLtzaVP/7hoCBVm4G86W8ZZuwcPQqrmNM6qj6+QnA0uKSWmIGtZBqFKn
iIiR/JDP87nzQ5qe+UejZE5rQgnGGIm8R/9hT+VSgD/boDsdTXJTitxkxlK4GwqJ
QvOEfWrupsva3jp1OG10RCCqC9+1kMqbvZHII6r93CsxgW44dQyhNIYbGGkBF0f+
7f4+GXFagofDVdUumQGtUrHDO4nwT4ECTQy0UdUscWL4rziQjzxC1zTeYhGvLQP1
jJKRiNv1W9Yjb7uGMgYxLkEHu8u2fZNVEuKorlWl/UM6dN0n5wFPceCDeRGY83we
A5IMpYM+5fiZ4uI4L80/CcjpcKSMDMzqirLMbuADjZpifQympbi2MP6/npDaYg+Y
Xj9PHJdX1CL7/2UM281gY9+A96OSf6WLnjfyBzOn0UZhrXJtokraCeEiiyxfw280
0bOYUt4vGWsGH2qkTjIxBNAMfmFsEPlJKuy415q+aa5JDFoRx5+Q7DD72T6oVpd9
t9hG2gYvVUYxMC+O2TUA
=j6ZX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
