[BlueOnyx:22028] Re: nginx issue (another one)
Maurice de Laat
mdlaat at muisnetwerken.nl
Wed May 9 15:08:58 -05 2018
Hi Michael,
On 09-05-18 21:36, Michael Stauber wrote:
> If changed to this ..
> LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
> LogFormat "%v %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" proxy
> SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
> CustomLog "/var/log/httpd/access_log" combined env=!forwarded
> CustomLog "/var/log/httpd/access_log" proxy env=forwarded
>
> ... it does exactly what we want and it logs the Client IP.
But, is that also a solution for the situation that a visitor is allowed
or denied access by statements in a .htaccess like these:
<FilesMatch wp-login.php>
Order Deny,Allow
Deny from All
Allow from a.b.c.d
</FilesMatch>
Or does it only fix the logging?
On my system, I had to use the Apache directive
RemoteIPHeader X-Forwarded-For
to fix those allow/deny statements.
> This basically looks for the environment variable "X-Forwarded-For". If
> found, it will use the second CustomLog directive. If there is no
> "X-Forwarded-For" it will use the first CustomLog directive. It's a bit
> stupid to have to do it this way, but it works.
>
Isn't just plain looking for a x-forwarded-for header a security breach?
An attacker might be able to bypass nginx and access a vsite directly on
apache, but still add this header in his request, resulting in a false
logging in apache logfiles and by that hiding its real address?
That is when the apache directives
RemoteIPInternalProxy
and
RemoteIPTrustedProxy
comes into place. They tell apache to only trust the X-Forwarded-for
header when it is coming from a specific address (in our case that
should be the address of nginx)
Kind regards
Maurice
More information about the Blueonyx
mailing list