You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Morel Mosolff <ma...@gmx.de> on 2017/10/05 09:11:35 UTC
[users@httpd] X-Forward-For in ssl_access_log / apache behind WAF
Hello together
I'm a little bit confused about manipulation ssl_access_log to get the X-Forward-For IP but not the "WAF/Proxy" IP.
(sorry for that long text...)
# Settings:
rhel 7.3
apache 2.4.6
Redirect: apache redirect (nearly) everthing to https
- Apache is behind a Web Application Firewall (WAF). The WAF acts like a reverse proxy I think.
- the WAF do only https but let pass through X-Forward-For information
- The WAF (or some server via the WAF) do health checks and I don't whant to log them.
- The Health checks "source" IP's are WAF IPs (maybe a Cluster):
WAF-IP1: 1.2.3.1
WAF-IP2: 1.2.3.2
# apache ssl.conf:
<VirtualHost _default_:443>
...
LogLevel info ssl:warn
#part 1:
LogFormat "%l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "logs/ssl_access_log" combined env=!forwarded
CustomLog "logs/ssl_access_log" proxy env=forwarded
#part 2:
SetEnvIf Remote_addr ("1\.2\.3\.1"|"1\.2\.2\.2") waf
CustomLog "logs/ssl_access_log" proxy env=!waf
...
</VirtualHost>
# ssl_acces_log:
-> part 1. is ok (your see the X-Forward-IP and WAF IP)
78.51.212.20 1.2.3.1 - - [05/Oct/2017:10:58:05 +0200] "GET /asdf/authorize?response_type=code&dddcasdf1&scope=oertz&redirect_uri=https://www.somethere.de/customers/83483227272 HTTP/1.1" 200 1576 "https://www.somethere.de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
-> part 2. is not ok. I can't stop the logging of health checks coming from 1.2.3.1/1.2.3.2. Allthough they are logged twice.
1.2.3.1 - - [05/Oct/2017:10:58:07 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.1 - - [05/Oct/2017:10:58:07 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.2 - - [05/Oct/2017:10:58:08 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.2 - - [05/Oct/2017:10:58:08 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.1 - - [05/Oct/2017:10:58:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.1 - - [05/Oct/2017:10:58:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.2 - - [05/Oct/2017:10:58:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.2 - - [05/Oct/2017:10:58:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
Hopfully sombody can see the problem / find a solution
many thanks
marc
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re: [users@httpd] X-Forward-For in ssl_access_log / apache behind WAF
Posted by Yann Ylavic <yl...@gmail.com>.
Hi,
On Fri, Oct 6, 2017 at 8:49 AM, Morel Mosolff <ma...@gmx.de> wrote:
> Hi Yann
> unfortunately that makes no difference.
>
> It don't works even if I only try to block one ip-address like this: SetEnvIf Remote_Addr "1\.2\.3\.1" wav
> but the output is slighly different (see below)
>
> LogFormat "%l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
> LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
> SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
> CustomLog "logs/ssl_access_log" combined env=!forwarded
> CustomLog "logs/ssl_access_log" proxy env=forwarded
> SetEnvIf Remote_Addr "1\.2\.3\.1" wav
> CustomLog "logs/ssl_access_log" proxy env=!waf
There seems to be some typos above, "waf" vs "wav", IP "1.2.*" vs
"10.1.2.*" below?
I'm hardly following here, could you please clarify?
>
> before (deny two ip's):
> 10.1.2.1 - - [06/Oct/2017:08:37:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.2 - - [06/Oct/2017:08:37:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.1 - - [06/Oct/2017:08:37:17 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.2 - - [06/Oct/2017:08:37:18 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.1 - - [06/Oct/2017:08:37:22 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.2 - - [06/Oct/2017:08:37:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
>
>
> after (deny one ip):
> 10.1.2.1 - - [06/Oct/2017:08:37:32 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - 10.1.2.1 - - [06/Oct/2017:08:37:32 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.2 - - [06/Oct/2017:08:37:33 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - 10.1.2.2 - - [06/Oct/2017:08:37:33 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.1 - - [06/Oct/2017:08:37:37 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - 10.1.2.1 - - [06/Oct/2017:08:37:37 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
>
> if I delete %h in the proxy definition I get:
> 10.1.2.2 - - [06/Oct/2017:08:45:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - - - [06/Oct/2017:08:45:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.1 - - [06/Oct/2017:08:45:27 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - - - [06/Oct/2017:08:45:27 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.22 - - [06/Oct/2017:08:45:28 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - - - [06/Oct/2017:08:45:28 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
>
> (one time the request ist logged with the ip and ontime without...:-( )
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: Re: [users@httpd] X-Forward-For in ssl_access_log / apache
behind WAF
Posted by Morel Mosolff <ma...@gmx.de>.
Hi Yann
unfortunately that makes no difference.
It don't works even if I only try to block one ip-address like this: SetEnvIf Remote_Addr "1\.2\.3\.1" wav
but the output is slighly different (see below)
LogFormat "%l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "logs/ssl_access_log" combined env=!forwarded
CustomLog "logs/ssl_access_log" proxy env=forwarded
SetEnvIf Remote_Addr "1\.2\.3\.1" wav
CustomLog "logs/ssl_access_log" proxy env=!waf
before (deny two ip's):
10.1.2.1 - - [06/Oct/2017:08:37:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:37:17 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:18 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:37:22 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
after (deny one ip):
10.1.2.1 - - [06/Oct/2017:08:37:32 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 10.1.2.1 - - [06/Oct/2017:08:37:32 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:33 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 10.1.2.2 - - [06/Oct/2017:08:37:33 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:37:37 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 10.1.2.1 - - [06/Oct/2017:08:37:37 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
if I delete %h in the proxy definition I get:
10.1.2.2 - - [06/Oct/2017:08:45:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- - - [06/Oct/2017:08:45:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:45:27 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- - - [06/Oct/2017:08:45:27 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.22 - - [06/Oct/2017:08:45:28 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- - - [06/Oct/2017:08:45:28 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
(one time the request ist logged with the ip and ontime without...:-( )
best
m
> Gesendet: Donnerstag, 05. Oktober 2017 um 17:16 Uhr
> Von: "Yann Ylavic" <yl...@gmail.com>
> An: users@httpd.apache.org
> Betreff: Re: [users@httpd] X-Forward-For in ssl_access_log / apache behind WAF
>
> Hi,
>
> On Thu, Oct 5, 2017 at 11:11 AM, Morel Mosolff <ma...@gmx.de> wrote:
> >
> > #part 2:
> > SetEnvIf Remote_addr ("1\.2\.3\.1"|"1\.2\.2\.2") waf
> > CustomLog "logs/ssl_access_log" proxy env=!waf
>
> Did you try without the quotes, for instance:
> SetEnvIf Remote_addr ^(1\.2\.3\.1|1\.2\.2\.2)$ waf
> ?
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] X-Forward-For in ssl_access_log / apache behind WAF
Posted by Yann Ylavic <yl...@gmail.com>.
Hi,
On Thu, Oct 5, 2017 at 11:11 AM, Morel Mosolff <ma...@gmx.de> wrote:
>
> #part 2:
> SetEnvIf Remote_addr ("1\.2\.3\.1"|"1\.2\.2\.2") waf
> CustomLog "logs/ssl_access_log" proxy env=!waf
Did you try without the quotes, for instance:
SetEnvIf Remote_addr ^(1\.2\.3\.1|1\.2\.2\.2)$ waf
?
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org