Re: log X-Forwarded-For in haproxy log
Hi Pedro,
You can use the log-format statement available in HAProxy 1.5.
Everything is explained in the doc.
If you need more help, please let us know.
Baptiste
On Thu, May 9, 2013 at 3:21 PM, Pedro Mata-Mouros
pedro.matamou...@sapo.pt wrote:
Hi,
Picking up this old thread, is there a way of actually replacing the
client_ip in the logs with this captured header X-Forwarded-For? I'm using
AWS and the current setup uses AWS LBs to deliver traffic to my HAProxy box,
and this way every single client_ip I'm seeing in the logs is from the LB
internal IP address - which is kind of wasted space...
Thanks,
Pedro.
On 5 Jul 2011, at 21:25, Julien Vehent jul...@linuxwall.info wrote:
On Tue, 05 Jul 2011 16:17:24 +0100, Hugo Silva wrote:
I just finished setting up apache+mod_security in front of haproxy:
user-- apache+modsec -- haproxy -- webservers -- fastcgi
The reasoning being that if apache was behind haproxy, then the backend
(nginx+php) servers wouldn't show on the haproxy admin interface (the
apaches would).
I'm not 100% sure if this is the best way to go about it, but for the
time being that's the approach. Feel free to suggest/discuss alternatives.
Because the site is live, I'm doing this in phases. For now the firewall
on the load balancers redirects incoming connections from certain IPs to
the new apache+modsec setup, while everything else is business as usual.
The few connections that go through the test setup get logged by haproxy
as coming from 127.0.0.1. This is because the firewall redirects to
127.0.0.1: (apache) which then ProxyPass'es to haproxy
(127.0.0.1:); therefore haproxy sees an incoming connection from
127.0.0.1.
Apache properly sets the X-Forwarded-For header.
Question: Can I somehow tell haproxy to log that instead?
If it is possible, are there security implications ?
x-forwarded-for is a http header. like any other http header, you can ask
haproxy to log it by using
frontend XYZ
[...]
option httplog
capture request header X-Forwarded-For len 50
it will appear in the logs in field #14, enclosed between {} characters.
http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat
Julien
Re: log X-Forwarded-For in haproxy log
Hi Baptiste,
Thanks for referring that. I was hoping there was some way of picking a
specific captured header (X-Forwarded-For in this case) and use it, but it
seems %hr just gives you everything and puts it inside {}. In my case I'd just
like to use the X-Forwarded-For as the client IP, if it exists, or use the
default %ci in case it doesn't.
But no harm done, it's not that big of an issue. :-)
Thanks,
Pedro.
On 10 May 2013, at 07:18, Baptiste bed...@gmail.com wrote:
Hi Pedro,
You can use the log-format statement available in HAProxy 1.5.
Everything is explained in the doc.
If you need more help, please let us know.
Baptiste
On Thu, May 9, 2013 at 3:21 PM, Pedro Mata-Mouros
pedro.matamou...@sapo.pt wrote:
Hi,
Picking up this old thread, is there a way of actually replacing the
client_ip in the logs with this captured header X-Forwarded-For? I'm using
AWS and the current setup uses AWS LBs to deliver traffic to my HAProxy box,
and this way every single client_ip I'm seeing in the logs is from the LB
internal IP address - which is kind of wasted space...
Thanks,
Pedro.
On 5 Jul 2011, at 21:25, Julien Vehent jul...@linuxwall.info wrote:
On Tue, 05 Jul 2011 16:17:24 +0100, Hugo Silva wrote:
I just finished setting up apache+mod_security in front of haproxy:
user-- apache+modsec -- haproxy -- webservers -- fastcgi
The reasoning being that if apache was behind haproxy, then the backend
(nginx+php) servers wouldn't show on the haproxy admin interface (the
apaches would).
I'm not 100% sure if this is the best way to go about it, but for the
time being that's the approach. Feel free to suggest/discuss alternatives.
Because the site is live, I'm doing this in phases. For now the firewall
on the load balancers redirects incoming connections from certain IPs to
the new apache+modsec setup, while everything else is business as usual.
The few connections that go through the test setup get logged by haproxy
as coming from 127.0.0.1. This is because the firewall redirects to
127.0.0.1: (apache) which then ProxyPass'es to haproxy
(127.0.0.1:); therefore haproxy sees an incoming connection from
127.0.0.1.
Apache properly sets the X-Forwarded-For header.
Question: Can I somehow tell haproxy to log that instead?
If it is possible, are there security implications ?
x-forwarded-for is a http header. like any other http header, you can ask
haproxy to log it by using
frontend XYZ
[...]
option httplog
capture request header X-Forwarded-For len 50
it will appear in the logs in field #14, enclosed between {} characters.
http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat
Julien
Re: log X-Forwarded-For in haproxy log
Hi,
Picking up this old thread, is there a way of actually replacing the client_ip
in the logs with this captured header X-Forwarded-For? I'm using AWS and the
current setup uses AWS LBs to deliver traffic to my HAProxy box, and this way
every single client_ip I'm seeing in the logs is from the LB internal IP
address - which is kind of wasted space...
Thanks,
Pedro.
On 5 Jul 2011, at 21:25, Julien Vehent jul...@linuxwall.info wrote:
On Tue, 05 Jul 2011 16:17:24 +0100, Hugo Silva wrote:
I just finished setting up apache+mod_security in front of haproxy:
user-- apache+modsec -- haproxy -- webservers -- fastcgi
The reasoning being that if apache was behind haproxy, then the backend
(nginx+php) servers wouldn't show on the haproxy admin interface (the
apaches would).
I'm not 100% sure if this is the best way to go about it, but for the
time being that's the approach. Feel free to suggest/discuss alternatives.
Because the site is live, I'm doing this in phases. For now the firewall
on the load balancers redirects incoming connections from certain IPs to
the new apache+modsec setup, while everything else is business as usual.
The few connections that go through the test setup get logged by haproxy
as coming from 127.0.0.1. This is because the firewall redirects to
127.0.0.1: (apache) which then ProxyPass'es to haproxy
(127.0.0.1:); therefore haproxy sees an incoming connection from
127.0.0.1.
Apache properly sets the X-Forwarded-For header.
Question: Can I somehow tell haproxy to log that instead?
If it is possible, are there security implications ?
x-forwarded-for is a http header. like any other http header, you can ask
haproxy to log it by using
frontend XYZ
[...]
option httplog
capture request header X-Forwarded-For len 50
it will appear in the logs in field #14, enclosed between {} characters.
http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat
Julien
Re: log X-Forwarded-For in haproxy log
On Thu, Jul 07, 2011 at 11:42:01AM +0100, Hugo Silva wrote:
On 07/05/11 21:25, Julien Vehent wrote:
x-forwarded-for is a http header. like any other http header, you can
ask haproxy to log it by using
frontend XYZ
[...]
option httplog
capture request header X-Forwarded-For len 50
it will appear in the logs in field #14, enclosed between {} characters.
http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat
Julien
That will do, thanks!
Any comments on the wisdom of apache before haproxy for mod_security?
At some customers, we're doing this :
client
|
|
v
+-+ +--+
| |--| apache +|
| haproxy | | mod_proxy + |
| |--| mod_security |
+-+ +--+
|
|
v
servers
It's interesting because :
- you can use as many mod_security servers as needed
- you can bypass them for requests that are not at risk (eg: static)
- mod_proxy caches before mod_security, which is handy for all
static contents that were still sent there
- load balancing and persistence is still performed on the servers
- the number of the servers is independant on the number of proxies
- it's cheap :-)
Cheers,
Willy
log X-Forwarded-For in haproxy log
I just finished setting up apache+mod_security in front of haproxy: user-- apache+modsec -- haproxy -- webservers -- fastcgi The reasoning being that if apache was behind haproxy, then the backend (nginx+php) servers wouldn't show on the haproxy admin interface (the apaches would). I'm not 100% sure if this is the best way to go about it, but for the time being that's the approach. Feel free to suggest/discuss alternatives. Because the site is live, I'm doing this in phases. For now the firewall on the load balancers redirects incoming connections from certain IPs to the new apache+modsec setup, while everything else is business as usual. The few connections that go through the test setup get logged by haproxy as coming from 127.0.0.1. This is because the firewall redirects to 127.0.0.1: (apache) which then ProxyPass'es to haproxy (127.0.0.1:); therefore haproxy sees an incoming connection from 127.0.0.1. Apache properly sets the X-Forwarded-For header. Question: Can I somehow tell haproxy to log that instead? If it is possible, are there security implications ?
Re: log X-Forwarded-For in haproxy log
On Tue, 05 Jul 2011 16:17:24 +0100, Hugo Silva wrote:
I just finished setting up apache+mod_security in front of haproxy:
user-- apache+modsec -- haproxy -- webservers -- fastcgi
The reasoning being that if apache was behind haproxy, then the
backend
(nginx+php) servers wouldn't show on the haproxy admin interface (the
apaches would).
I'm not 100% sure if this is the best way to go about it, but for the
time being that's the approach. Feel free to suggest/discuss
alternatives.
Because the site is live, I'm doing this in phases. For now the
firewall
on the load balancers redirects incoming connections from certain IPs
to
the new apache+modsec setup, while everything else is business as
usual.
The few connections that go through the test setup get logged by
haproxy
as coming from 127.0.0.1. This is because the firewall redirects to
127.0.0.1: (apache) which then ProxyPass'es to haproxy
(127.0.0.1:); therefore haproxy sees an incoming connection from
127.0.0.1.
Apache properly sets the X-Forwarded-For header.
Question: Can I somehow tell haproxy to log that instead?
If it is possible, are there security implications ?
x-forwarded-for is a http header. like any other http header, you can
ask haproxy to log it by using
frontend XYZ
[...]
option httplog
capture request header X-Forwarded-For len 50
it will appear in the logs in field #14, enclosed between {}
characters.
http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat
Julien
