[BlueOnyx:22027] Re: nginx issue (another one)

Michael Stauber mstauber at blueonyx.it
Wed May 9 14:36:35 -05 2018 

Hi Maurice,

> But Apache is not picking this up. It is my understanding that Apache
> should be told this by the RemoteIPHeader directive. But I can not find
> this directive in any Apache configuration file.

I'm a bit puzzled here as well. From what I recall: What I had there
used to work. I've seen my clients IP in the Apache log after using the
roundtrip via the Nginx proxy. But lo and behold: It now shows the
server IP instead.

I checked the Nginx config and compared that with the Nginx documentation.

Like with anything Nginx related there is more than one way to do it -
no matter what you want to do.

For example see this:

https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/

http://www.networkinghowtos.com/howto/set-the-x-forwarded-for-header-on-a-nginx-reverse-proxy-setup/

So ... we can use the Forwarded-For headers and/or the realip module
(which our Nginx has built in). I tried both and the net result is the same:

Apache logs the Server IP, not the Client IP if HTTPs via Nginx is used.

A phpinfo() page will tell us that the Forwarded-For and Client IP
headers are set and even reach PHP (regardless if mod_php, suPHP or FPM
is used). It's just that Apache doesn't log it.

But we can tell it to how it should log stuff and we already do so in
/etc/httpd/conf.d/security.conf where we currently have this:

# Logging:
#CustomLog /var/log/httpd/access_log "%v %h %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\""

If changed to this ..

LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%v %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "/var/log/httpd/access_log" combined env=!forwarded
CustomLog "/var/log/httpd/access_log" proxy env=forwarded

... it does exactly what we want and it logs the Client IP.

This basically looks for the environment variable "X-Forwarded-For". If
found, it will use the second CustomLog directive. If there is no
"X-Forwarded-For" it will use the first CustomLog directive. It's a bit
stupid to have to do it this way, but it works.

I'll publish an updated base-apache which changes the loggin format as
mentioned here.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list