Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-5114

apache config needs to log client ip address if using reverse proxy with remote header

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • 4.9.0, 5.6.0
    • None
    • None
    • None

    Description

      Jeffrey Crawford
      9 hours ago
      Good morning,
      I just noticed that our logs are only reporting what appear to be local ip addresses from the LB in AWS. We do have:
      GROUPER_APACHE_REMOTE_IP_HEADER=X-Forwarded-For
      set but we continue to get IP’s from 192.168.x.x addresses.
      We have the ALB’s set to the default settings which, I understand should automatically support X-Forwarded-For. from my understanding.

      Chris Hyzer
      9 hours ago
      which logs? can you show a sanitized example?

      David Gelhar
      9 hours ago
      Did you also set GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY?

      Jeffrey Crawford
      9 hours ago
      grouper log says:
      httpd;access_log;dev;nothing;192.168.1.189 - - [03/Nov/2023:10:29:59 -0700] "POST /grouper-ws/services/GrouperService_v2_1 HTTP/1.1" 200 2139 "" "JAX-WS RI 2.1.3-b02"
      ALB log says:
      https 2023-11-03T17:29:59.562226Z app/grouper-qa-ecs-demo-ws-lb/4c90d799b43b9d3a 149.142.225.134:50267 192.168.3.39:443 0.003 0.365 0.000 200 200 1337 2884 "POST https://grouperwsa.61097768.dev.r53.aws.it.ucla.edu:443/grouper-ws/services/GrouperService_v2_1 HTTP/1.1" "JAX-WS RI 2.1.3-b02-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-west-2:580792180494:targetgroup/groupe-ECSWs-QHOUN6PSPNIJ/069dde7cdf08403b "Root=1-65452e17-79b9e86d60f5e3a24af01171" "grouperwsa.61097768.dev.r53.aws.it.ucla.edu" "session-reused" 0 2023-11-03T17:29:59.193000Z "forward" "" "" "192.168.3.39:443" "200" "" ""

      Jeffrey Crawford
      9 hours ago
      @David Gelhar
      I did not set that. Is it required?

      David Gelhar
      9 hours ago
      Yes, you need to tell apache what your trusted gateways are, otherwise it will not believe the X-Forwarded-For header
      https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

      Jeffrey Crawford
      8 hours ago
      Still isn’t working. Also I don’t think it’s required per the documentation but maybe still a good idea:
      subject to further configuration of the RemoteIPInternalProxy and RemoteIPTrustedProxy directives. Unless these other directives are used, mod_remoteip will trust all hosts presenting a RemoteIPHeader IP value.

      David Gelhar
      8 hours ago
      hmm, you're right, that sounds like it isn't required.

      Jeffrey Crawford
      8 hours ago
      I do see the following in the www-grouper.conf file:

      RemoteIPHeader X-Forwarded-For

      RemoteIPTrustedProxy 192.168.0.0/21
      I’m having trouble proving that the ALB is actually populating that value, per config it should be.

      Jeffrey Crawford
      7 hours ago
      FWIW the ALB logs are showing the original IP, not sure if that translates to X-Forwarded-For being populated.

      Jeffrey Crawford
      2 hours ago
      Okay this looks like a config problem with the /etc/httpd/conf.d/09_i2inc_logging.conf file. The log format should switch from %h to %a the latter of which specifically mentions logging the “client” IP address
      https://httpd.apache.org/docs/2.4/mod/mod_log_config.html (edited)

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: