Am 25.01.2013 00:34, schrieb Graham Leggett: > On 24 Jan 2013, at 20:02, Stefan Fritsch <s...@sfritsch.de> wrote: > >> The problem seems to be ap_get_remote_host() which is used by the %h >> used in the default access log format. But resolving an IP address >> that came via X-Forwarded-For does not make any sense anyway, because >> the server's view of DNS may be different than the proxy's view. >> >> If you use %a instead of %h, that should do the right thing. There is >> also a "%{c}a" to get the proxy's IP. >> >> That's rather confusing. Any opionions if the behavior should be >> changed or if this should be fixed by documentation? > > As soon as you enable mod_remoteip, you are in the world of proxies and load > balancers, and by definition you have at least two ip addresses, the address > of the load balancer, and the address of the host beyond the load balancer. > > It is up to the administrator to decide which IP address they want to log, > the load balancer IP, or the IP of the host beyond. > > We currently offer that option based on the principal of least surprise, to > log the downstream host IP address, as it is the address that the AAA > subsystem probably cares about the most. > > It is also up to third party module authors to properly handle the two IPs, > and offer the end user sensible behaviour. Load balancers are a first class > concept properly recognized by httpd in 2.4, and is no longer the "request > hacks the parent connection" that was going on before.
but that does not change the fact that %h without HostnameLookups should log the same ip-address and with HostnameLookups resolve this as $_SERVER['REMOTE_ADDR'] from a php-script sees for the principal of least surprise to make mod_remoteip really transparent in conext of a proxy in front "%{c}a" is new and special in context of mod_remoteip %h exists all the time %a exists all the time so normally you would not except that they behave different in the context of a clear usage of mod_remoteip i will give %a a try instead %h as soon as i am near my test-network again, thankfully "%a Client IP address and port of the request" does not contain the port if it is 80 as it seems and so would not change the logformat which could confuse webalizer due switch to httpd 2.4 i will give feedback ASAP here thank you for your responses!
signature.asc
Description: OpenPGP digital signature