On Sun, Apr 09, 2017 at 11:51:25AM +0200, Thuban wrote:
> * Hiltjo Posthuma <[email protected]> le [09-04-2017 11:42:23 +0200]:
> > On Sat, Apr 08, 2017 at 08:48:43PM +0200, Thuban wrote:
> > > Hello,
> > > I use relayd to deal with HTTP headers as suggested here [1].
> > > My problem is that in httpd logs, the origin IP is 127.0.0.1 and thats
> > > not very handy to track bruteforce attacks (in example).
> > >
> > > Do you have any advice to keep the visitor IP in logs ?
> > >
> > > [1] :
> > > https://github.com/reyk/httpd/wiki/Using-relayd-to-add-Cache-Control-headers-to-httpd-traffic
> > > --
> > > :thuban:
> > >
> >
> > Hey,
> >
> > It's commonly done by adding a X-Forwarded-For header with the origin IP.
> >
> > From the relayd.conf(5) man page:
> >
> > http protocol "https" {
> > match header append "X-Forwarded-For" \
> > value "$REMOTE_ADDR"
> > match header append "X-Forwarded-By" \
> > value "$SERVER_ADDR:$SERVER_PORT"
> >
> > ... snip snip ...
> > }
> >
>
> That's exactly what I use, but it doesn't seems to work :
>
> # snip from httpd logs
> test.yeuxdelibad.net 127.0.0.1 - - [09/Apr/2017:11:47:54 +0200] "GET /
> HTTP/1.0" 200 0
>
Hey,
In my example you should also log the "X-Forwarded-For" header in relayd or
your httpd. The source IP and headers were modified (non-transparant).
relayd can log headers (and other data) using for example:
match header log "User-Agent"
Additionally it can be useful to edit /etc/syslog.conf to log this to a
separate file like /var/log/relayd.
--
Kind regards,
Hiltjo
