You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Morel Mosolff <ma...@gmx.de> on 2017/10/05 09:11:35 UTC

[users@httpd] X-Forward-For in ssl_access_log / apache behind WAF

Hello together
I'm a little bit confused about manipulation ssl_access_log to get the X-Forward-For IP but not the "WAF/Proxy" IP.
(sorry for that long text...)

# Settings:
rhel 7.3
apache 2.4.6 
Redirect: apache redirect (nearly) everthing to https

- Apache is behind a Web Application Firewall (WAF). The WAF acts like a reverse proxy I think.
- the WAF do only https but let pass through X-Forward-For information
- The WAF (or some server via the WAF) do health checks and I don't whant to log them.
- The Health checks "source" IP's are WAF IPs (maybe a Cluster):
  WAF-IP1:  1.2.3.1
  WAF-IP2:  1.2.3.2 

# apache ssl.conf:

<VirtualHost _default_:443>
...
LogLevel info ssl:warn

        #part 1:
        LogFormat "%l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
        CustomLog "logs/ssl_access_log" combined env=!forwarded
        CustomLog "logs/ssl_access_log" proxy env=forwarded

        #part 2:
        SetEnvIf Remote_addr  ("1\.2\.3\.1"|"1\.2\.2\.2") waf
        CustomLog "logs/ssl_access_log" proxy env=!waf
...
</VirtualHost>


# ssl_acces_log:
-> part 1. is ok (your see the X-Forward-IP and WAF IP)
78.51.212.20 1.2.3.1 - - [05/Oct/2017:10:58:05 +0200] "GET /asdf/authorize?response_type=code&dddcasdf1&scope=oertz&redirect_uri=https://www.somethere.de/customers/83483227272 HTTP/1.1" 200 1576 "https://www.somethere.de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"

-> part 2. is not ok. I can't stop the logging of health checks coming from 1.2.3.1/1.2.3.2. Allthough they are logged twice.
1.2.3.1 - - [05/Oct/2017:10:58:07 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.1 - - [05/Oct/2017:10:58:07 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.2 - - [05/Oct/2017:10:58:08 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.2 - - [05/Oct/2017:10:58:08 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.1 - - [05/Oct/2017:10:58:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.1 - - [05/Oct/2017:10:58:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.2 - - [05/Oct/2017:10:58:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.2 - - [05/Oct/2017:10:58:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"

Hopfully sombody can see the problem / find a solution

many thanks
marc




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: [users@httpd] X-Forward-For in ssl_access_log / apache behind WAF

Posted by Yann Ylavic <yl...@gmail.com>.

Hi,

On Fri, Oct 6, 2017 at 8:49 AM, Morel Mosolff <ma...@gmx.de> wrote:
> Hi Yann
> unfortunately that makes no difference.
>
> It don't works even if I only try to block one ip-address like this: SetEnvIf Remote_Addr "1\.2\.3\.1" wav
> but the output is slighly different (see below)
>
>         LogFormat "%l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
>         LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
>         SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
>         CustomLog "logs/ssl_access_log" combined env=!forwarded
>         CustomLog "logs/ssl_access_log" proxy env=forwarded
>         SetEnvIf Remote_Addr "1\.2\.3\.1" wav
>         CustomLog "logs/ssl_access_log" proxy env=!waf

There seems to be some typos above, "waf" vs "wav", IP "1.2.*" vs
"10.1.2.*" below?
I'm hardly following here, could you please clarify?

>
> before (deny two ip's):
> 10.1.2.1 - - [06/Oct/2017:08:37:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.2 - - [06/Oct/2017:08:37:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.1 - - [06/Oct/2017:08:37:17 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.2 - - [06/Oct/2017:08:37:18 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.1 - - [06/Oct/2017:08:37:22 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.2 - - [06/Oct/2017:08:37:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
>
>
> after (deny one ip):
> 10.1.2.1 - - [06/Oct/2017:08:37:32 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - 10.1.2.1 - - [06/Oct/2017:08:37:32 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.2 - - [06/Oct/2017:08:37:33 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - 10.1.2.2 - - [06/Oct/2017:08:37:33 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.1 - - [06/Oct/2017:08:37:37 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - 10.1.2.1 - - [06/Oct/2017:08:37:37 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
>
> if I delete %h in the proxy definition I get:
> 10.1.2.2 - - [06/Oct/2017:08:45:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - - - [06/Oct/2017:08:45:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.1 - - [06/Oct/2017:08:45:27 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - - - [06/Oct/2017:08:45:27 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> 10.1.2.22 - - [06/Oct/2017:08:45:28 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
> - - - [06/Oct/2017:08:45:28 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
>
> (one time the request ist logged with the ip and ontime without...:-(  )

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Aw: Re: [users@httpd] X-Forward-For in ssl_access_log / apache behind WAF

Posted by Morel Mosolff <ma...@gmx.de>.

Hi Yann
unfortunately that makes no difference.

It don't works even if I only try to block one ip-address like this: SetEnvIf Remote_Addr "1\.2\.3\.1" wav
but the output is slighly different (see below)

        LogFormat "%l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
        CustomLog "logs/ssl_access_log" combined env=!forwarded
        CustomLog "logs/ssl_access_log" proxy env=forwarded
        SetEnvIf Remote_Addr "1\.2\.3\.1" wav
        CustomLog "logs/ssl_access_log" proxy env=!waf

before (deny two ip's):
10.1.2.1 - - [06/Oct/2017:08:37:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:37:17 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:18 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:37:22 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"


after (deny one ip):
10.1.2.1 - - [06/Oct/2017:08:37:32 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 10.1.2.1 - - [06/Oct/2017:08:37:32 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:33 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 10.1.2.2 - - [06/Oct/2017:08:37:33 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:37:37 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 10.1.2.1 - - [06/Oct/2017:08:37:37 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"

if I delete %h in the proxy definition I get:
10.1.2.2 - - [06/Oct/2017:08:45:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- - - [06/Oct/2017:08:45:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:45:27 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- - - [06/Oct/2017:08:45:27 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.22 - - [06/Oct/2017:08:45:28 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- - - [06/Oct/2017:08:45:28 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"

(one time the request ist logged with the ip and ontime without...:-(  )

best
m

> Gesendet: Donnerstag, 05. Oktober 2017 um 17:16 Uhr
> Von: "Yann Ylavic" <yl...@gmail.com>
> An: users@httpd.apache.org
> Betreff: Re: [users@httpd] X-Forward-For in ssl_access_log / apache behind WAF
>
> Hi,
> 
> On Thu, Oct 5, 2017 at 11:11 AM, Morel Mosolff <ma...@gmx.de> wrote:
> >
> >         #part 2:
> >         SetEnvIf Remote_addr  ("1\.2\.3\.1"|"1\.2\.2\.2") waf
> >         CustomLog "logs/ssl_access_log" proxy env=!waf
> 
> Did you try without the quotes, for instance:
>    SetEnvIf Remote_addr ^(1\.2\.3\.1|1\.2\.2\.2)$ waf
> ?
> 
> Regards,
> Yann.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] X-Forward-For in ssl_access_log / apache behind WAF

Posted by Yann Ylavic <yl...@gmail.com>.

Hi,

On Thu, Oct 5, 2017 at 11:11 AM, Morel Mosolff <ma...@gmx.de> wrote:
>
>         #part 2:
>         SetEnvIf Remote_addr  ("1\.2\.3\.1"|"1\.2\.2\.2") waf
>         CustomLog "logs/ssl_access_log" proxy env=!waf

Did you try without the quotes, for instance:
   SetEnvIf Remote_addr ^(1\.2\.3\.1|1\.2\.2\.2)$ waf
?

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org