apache logging, XFF and proxypass...



apache 2.2.22
centos 5.8

We are running several virtual Hosts in an apache config. The
majority of them use mod_jk for a backend ajp connection, whilst a few
use ProxyPass to http backends

using LogFormat directives

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i
\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" proxy
LogFormat "%{X-Forwarded-For}i " proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded


and VH configs including
ErrorLog "logs/errors"
CustomLog "logs/access" combined env=!forwarded
CustomLog "logs/access" proxy env=forwarded

For the mod_jk connections the logs are great...


192.168.52.139 - - [28/May/2012:15:27:30 +0100] "GET /for..

with the IP of ONLY the originating client being logged.

However... for proxypass type VHs.. the logs end up with

192.168.52.213, 192.168.61.63 - - [28/May/2012:15:38:44 +0100] "GET /
ltr/i

Delving into it all, it appears that for proxypass the XFF header
shifts along the entire path if IPs - client,proxy1 etc to the
backend. Now that's all well and good for passing to the backend...
but its useless for logging an original single client IP on the proxy
itself. It seems that what it prepares for the backend it uses itself
- which is not what is required.


ie client --> traffic manager --> apache proxy --> backend
I want to log the client IP in the apache proxy logs - NOT
client IP + traffic manager IP

How can I get over this?

cheers

ian
.



Relevant Pages

  • Re: Apache, Possible DoS/Overflow attack ?
    ... >>I was presented with a set of apache logs which were showing some out of ... Clip from Apache Manual: ... Note that when you specify an ErrorDocument that points to a remote URL (ie. ... most important being that the client will not receive the original error status ...
    (comp.os.linux.security)
  • Re: Kerberized authorization service
    ... that the authorization decision is no longer truly centralized. ... small client which securely connects to one of a set of authorization servers, ... The backend can use any ... could try multiple authorization servers to ensure availability. ...
    (comp.protocols.kerberos)
  • Re: Can I do this?
    ... I quickly perused through the links you kindly provided - and I came accross the dreaded word of "marshalling" - why are we marshalling data if it we are running in the same process -. ... I was wondering if you have any suggestions on how to communicate between the backend and the frontend. ... I was thinking of using a servlet layer on the server side and then use HTTPS requests from the client to send base 64 encoded data from the server - This will allow me to receive files stored at the backend server in Linux. ...
    (microsoft.public.dotnet.languages.vc)
  • Re: Outlook Web Access premium funktioniert nicht
    ... Das Front-End steht in der DMZ, der Backend ... Selbst auf dem Fron-End läuft der premium Client ... Die Server sind alle Windows Server 2003, und Exchange ...
    (microsoft.public.de.exchange)
  • Opinions: client, embedded offline database and synchrony with backend
    ... I want to design a platform-independent client front-end that has its own ... with a client-owned table in a backend. ... client to jump through hoops. ...
    (comp.lang.java.databases)