[users@httpd] X-Forward-For in ssl_access_log / apache behind WAF

Thu, 05 Oct 2017 02:12:13 -0700 

Hello together
I'm a little bit confused about manipulation ssl_access_log to get the 
X-Forward-For IP but not the "WAF/Proxy" IP.
(sorry for that long text...)

# Settings:
rhel 7.3
apache 2.4.6 
Redirect: apache redirect (nearly) everthing to https

- Apache is behind a Web Application Firewall (WAF). The WAF acts like a 
reverse proxy I think.
- the WAF do only https but let pass through X-Forward-For information
- The WAF (or some server via the WAF) do health checks and I don't whant to 
log them.
- The Health checks "source" IP's are WAF IPs (maybe a Cluster):
  WAF-IP1:  1.2.3.1
  WAF-IP2:  1.2.3.2 

# apache ssl.conf:

<VirtualHost _default_:443>
...
LogLevel info ssl:warn

        #part 1:
        LogFormat "%l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" 
combined
        LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b 
\"%{Referer}i\" \"%{User-Agent}i\"" proxy
        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
        CustomLog "logs/ssl_access_log" combined env=!forwarded
        CustomLog "logs/ssl_access_log" proxy env=forwarded

        #part 2:
        SetEnvIf Remote_addr  ("1\.2\.3\.1"|"1\.2\.2\.2") waf
        CustomLog "logs/ssl_access_log" proxy env=!waf
...
</VirtualHost>


# ssl_acces_log:
-> part 1. is ok (your see the X-Forward-IP and WAF IP)
78.51.212.20 1.2.3.1 - - [05/Oct/2017:10:58:05 +0200] "GET 
/asdf/authorize?response_type=code&dddcasdf1&scope=oertz&redirect_uri=https://www.somethere.de/customers/83483227272
 HTTP/1.1" 200 1576 "https://www.somethere.de/"; "Mozilla/5.0 (Windows NT 10.0; 
Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"

-> part 2. is not ok. I can't stop the logging of health checks coming from 
1.2.3.1/1.2.3.2. Allthough they are logged twice.
1.2.3.1 - - [05/Oct/2017:10:58:07 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.1 - - [05/Oct/2017:10:58:07 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.2 - - [05/Oct/2017:10:58:08 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.2 - - [05/Oct/2017:10:58:08 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.1 - - [05/Oct/2017:10:58:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.1 - - [05/Oct/2017:10:58:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.2 - - [05/Oct/2017:10:58:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.2 - - [05/Oct/2017:10:58:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"

Hopfully sombody can see the problem / find a solution

many thanks
marc




---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to