You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Carlos André <ca...@gmail.com> on 2009/12/02 13:38:44 UTC

[users@httpd] Client IP behind SQUID on Apache Reverse Proxy

Hi ppl,

I'm getting headaches^3 coz logging in my scenario...

There is:
Client/HTTPS(172.16.0.101) -> SQUID/HTTPS (172.16.0.31) -> Reverse
Proxy (Apache, SSL-out, 172.16.0.50) -> WebServers/HTTP (172.16.0.60)

I need 2 things (for logging purposes):
1) Send IP of client to WebServers. There anyway to make Apache get
"X-Forwarded-For" value from SQUID, and forward it on Apache
X-Forwarded-For header to WebServers instead to put SQUID IP on
X-Forwarded-For and forward it to WebServers? Better, just do it if
"IP = known proxy IP" like I do on logging below?
Something like:
SQUID Header:
X-Forwarded-For: 172.16.0.101
Reverse Proxy Header:
X-Forwarded-For: 172.16.0.101 (NOT 172.16.0.31 IF "172.16.0.31=known
proxy IP" [to avoid spoofing...])

2) Log Client IP on Reverse Proxy (on access / error / modsecurity
logs). I made some changes on httpd.conf without expected results:
----------------------------------------------------------------------------------
SetEnvIf Remote_Addr 172\.25\.136\.31 PROXY=1
LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\"
\"%{User-agent}i\"" combined_forwarded
CustomLog /var/log/httpd/combined-access.log combined env=!PROXY
CustomLog /var/log/httpd/combined_forwarded-access.log
combined_forwarded env=PROXY
----------------------------------------------------------------------------------
With this conf, if client try access any webserver behind RP, RP logs
SQUID IP on "combined_forwarded-access.log" instead Client IP, *BUT*
if client access html root directory (for example) of Reverse Proxy it
logs real client IP on "combined_forwarded-access.log" :(


Thanks :)

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org