On Sun, Apr 09, 2017 at 11:30:37AM +0000, Stuart Henderson wrote: > On 2017-04-09, Thuban <[email protected]> wrote: > > * Hiltjo Posthuma <[email protected]> le [09-04-2017 11:42:23 +0200]: > >> On Sat, Apr 08, 2017 at 08:48:43PM +0200, Thuban wrote: > >> > Hello, > >> > I use relayd to deal with HTTP headers as suggested here [1]. > >> > My problem is that in httpd logs, the origin IP is 127.0.0.1 and thats > >> > not very handy to track bruteforce attacks (in example). > >> > > >> > Do you have any advice to keep the visitor IP in logs ? > >> > > >> > [1] : > >> > https://github.com/reyk/httpd/wiki/Using-relayd-to-add-Cache-Control-headers-to-httpd-traffic > >> > -- > >> > :thuban: > >> > > >> > >> It's commonly done by adding a X-Forwarded-For header with the origin IP. > >> > >> From the relayd.conf(5) man page: > >> > >> http protocol "https" { > >> match header append "X-Forwarded-For" \ > >> value "$REMOTE_ADDR" > >> match header append "X-Forwarded-By" \ > >> value "$SERVER_ADDR:$SERVER_PORT" > > "append" isn't good here, you don't want to trust whatever the client > sends in headers. >
Good point! I've send a relayd.conf(5) patch for this to tech@. -- Kind regards, Hiltjo
