Description
Jeffrey Crawford
9 hours ago
Good morning,
I just noticed that our logs are only reporting what appear to be local ip addresses from the LB in AWS. We do have:
GROUPER_APACHE_REMOTE_IP_HEADER=X-Forwarded-For
set but we continue to get IP’s from 192.168.x.x addresses.
We have the ALB’s set to the default settings which, I understand should automatically support X-Forwarded-For. from my understanding.
Chris Hyzer
9 hours ago
which logs? can you show a sanitized example?
David Gelhar
9 hours ago
Did you also set GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY?
Jeffrey Crawford
9 hours ago
grouper log says:
httpd;access_log;dev;nothing;192.168.1.189 - - [03/Nov/2023:10:29:59 -0700] "POST /grouper-ws/services/GrouperService_v2_1 HTTP/1.1" 200 2139 "" "JAX-WS RI 2.1.3-b02"
ALB log says:
https 2023-11-03T17:29:59.562226Z app/grouper-qa-ecs-demo-ws-lb/4c90d799b43b9d3a 149.142.225.134:50267 192.168.3.39:443 0.003 0.365 0.000 200 200 1337 2884 "POST https://grouperwsa.61097768.dev.r53.aws.it.ucla.edu:443/grouper-ws/services/GrouperService_v2_1 HTTP/1.1" "JAX-WS RI 2.1.3-b02-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-west-2:580792180494:targetgroup/groupe-ECSWs-QHOUN6PSPNIJ/069dde7cdf08403b "Root=1-65452e17-79b9e86d60f5e3a24af01171" "grouperwsa.61097768.dev.r53.aws.it.ucla.edu" "session-reused" 0 2023-11-03T17:29:59.193000Z "forward" "" "" "192.168.3.39:443" "200" "" ""
Jeffrey Crawford
9 hours ago
@David Gelhar
I did not set that. Is it required?
David Gelhar
9 hours ago
Yes, you need to tell apache what your trusted gateways are, otherwise it will not believe the X-Forwarded-For header
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
Jeffrey Crawford
8 hours ago
Still isn’t working. Also I don’t think it’s required per the documentation but maybe still a good idea:
subject to further configuration of the RemoteIPInternalProxy and RemoteIPTrustedProxy directives. Unless these other directives are used, mod_remoteip will trust all hosts presenting a RemoteIPHeader IP value.
David Gelhar
8 hours ago
hmm, you're right, that sounds like it isn't required.
Jeffrey Crawford
8 hours ago
I do see the following in the www-grouper.conf file:
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 192.168.0.0/21
I’m having trouble proving that the ALB is actually populating that value, per config it should be.
Jeffrey Crawford
7 hours ago
FWIW the ALB logs are showing the original IP, not sure if that translates to X-Forwarded-For being populated.
Jeffrey Crawford
2 hours ago
Okay this looks like a config problem with the /etc/httpd/conf.d/09_i2inc_logging.conf file. The log format should switch from %h to %a the latter of which specifically mentions logging the “client” IP address
https://httpd.apache.org/docs/2.4/mod/mod_log_config.html (edited)