* Hiltjo Posthuma <hil...@codemadness.org> le [09-04-2017 14:06:48 +0200]: > On Sun, Apr 09, 2017 at 11:30:37AM +0000, Stuart Henderson wrote: > > On 2017-04-09, Thuban <thu...@yeuxdelibad.net> wrote: > > > * Hiltjo Posthuma <hil...@codemadness.org> le [09-04-2017 11:42:23 +0200]: > > >> On Sat, Apr 08, 2017 at 08:48:43PM +0200, Thuban wrote: > > >> > Hello, > > >> > I use relayd to deal with HTTP headers as suggested here [1]. > > >> > My problem is that in httpd logs, the origin IP is 127.0.0.1 and thats > > >> > not very handy to track bruteforce attacks (in example). > > >> > > > >> > Do you have any advice to keep the visitor IP in logs ? > > >> > > > >> > [1] : > > >> > https://github.com/reyk/httpd/wiki/Using-relayd-to-add-Cache-Control-headers-to-httpd-traffic > > >> > -- > > >> > :thuban: > > >> > > > >> > > >> It's commonly done by adding a X-Forwarded-For header with the origin IP. > > >> > > >> From the relayd.conf(5) man page: > > >> > > >> http protocol "https" { > > >> match header append "X-Forwarded-For" \ > > >> value "$REMOTE_ADDR" > > >> match header append "X-Forwarded-By" \ > > >> value "$SERVER_ADDR:$SERVER_PORT" > > > > "append" isn't good here, you don't want to trust whatever the client > > sends in headers. > > > > Good point! I've send a relayd.conf(5) patch for this to tech@. That's right indeed. The man page may have an alert on this.
So, transparent relay is what I need. Does anyone have a working example ? Just adding the "transparent" keyword doesn't work for me, the client never access httpd. Regards -- :thuban:
