Hello Christopher,
It just occurred to me that you might be referring to the first field
(%h) in your log records.
This is going to be the remote hostname.
So this is showing the IP address of your immediate proxy.
If you want to see the true original client IP address (as calculated by
mod_remoteip), you should add the %a field to your LogFormat directive.
- http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
On 10/2/2014 9:04 AM, Mike Rumph wrote:
Hello Christopher,
Since you are running 2.4.10, you have the latest mod_remoteip fixes.
But I think the problem is in the directives that you are using:
RemoteIPHeader X-Forwarded-For
#RemoteIPTrustedProxy 10.0.0.0/8
If you only use the RemoteIPHeader directive, then the default is to
treat all proxies as external trusted proxies.
Having RemoteIPTrustedProxy set for all your proxies would have the
same effect.
I assume by your 10.0.0.0/8 mask that this matches your proxy addresses.
But 10.0.0.0/8 is a mask for internal IP addresses.
So your proxies will not be accepted as external proxies.
And your true client ip address will not be used.
Try the following directives instead:
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.0.0.0/8
Let us know if this works for you.
Thanks,
Mike Rumph
On 10/2/2014 6:46 AM, Christopher Schultz wrote:
Mike,
On 10/1/14 5:40 PM, Mike Rumph wrote:
What version of Apache httpd are you running?
Thanks for the reply. We are running 2.4 and 2.2 on various servers, but
I'm starting with this one:
Server version: Apache/2.4.10 (Amazon)
Server built: Jul 30 2014 23:57:28
This is the httpd package that Amazon bundles with its Amazon Linux. If
possible, I'd prefer to continue to use their packages.
There have been some mod_remoteip fixes in recent 2.4.x releases.
You could also try setting up some LogFormat directives as in bug 55635
to get more information on this.
- https://issues.apache.org/bugzilla/show_bug.cgi?id=55635#c1
I'll modify my log format and post what I get under various
circumstances.
FWIW, I currently have no "Allow" or "Deny" directives in effect. I was
planing eventually to say "Allow from 10/8" or something equivalent to
only allow connections to this virtual host from the load-balancer. If
that's not going to work, it's easily done at the OS or firewall level.
Thanks,
-chris
On 10/1/2014 11:00 AM, Christopher Schultz wrote:
All,
I'm trying to get httpd working behind an AWS ELB but still using the
remote client's information whenever possible.
ELB provides the X-Forwarded-For, X-Forwarded-Port, and
X-Forwarded-Proto HTTP headers. My configuration looks like this:
RemoteIPHeader X-Forwarded-For
#RemoteIPTrustedProxy 10.0.0.0/8
(I commented-out the RemoteIPTrustedProxy line to see if that was the
problem, and it does not appear to have changed the behavior).
My true client IP address is 71.178.xxx.yyy and I'm making a request
through the load balancer. I'm using PHP's "phpinfo()" to dump
everything about the request. I can see that the X-Forwarded-For
header
has been /removed/ from the request (which mod_remoteip says will
happen), but I'm still getting the ELB's IP address in my access logs:
10.32.xxx.yyy - - [01/Oct/2014:17:59:27 +0000] "GET /info.php
HTTP/1.1"
200 72810 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0"
I have definitely restarted httpd and mod_remoteip is definitely
enabled
(no errors on start, X-Forwarded-For header is being removed from the
headers).
Am I missing something in my configuration?
Thanks,
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
