-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mike,
On 10/2/14 12:04 PM, Mike Rumph wrote:
> Since you are running 2.4.10, you have the latest mod_remoteip
> fixes. But I think the problem is in the directives that you are
> using:
>
> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy 10.0.0.0/8
>
>
> If you only use the RemoteIPHeader directive, then the default is
> to treat all proxies as external trusted proxies.
Correct. I'm okay with that for the moment. Uncommenting the second
directive didn't change anything.
> Having RemoteIPTrustedProxy set for all your proxies would have the
> same effect.
That's what I'll eventually end up with.
> I assume by your 10.0.0.0/8 mask that this matches your proxy
> addresses. But 10.0.0.0/8 is a mask for internal IP addresses. So
> your proxies will not be accepted as external proxies. And your
> true client ip address will not be used.
Hmm. Maybe I have things mixed up in my head, then.
The AWS ELB will have an address 10.something and so will my actual
server running httpd.
> Try the following directives instead:
>
> RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.0.0.0/8
>
> Let us know if this works for you.
I'll try that. With my above configuration, I got a line in my (your)
access log that looks like this:
10.32.219.77 71.178.180.80 10.32.219.77 xf="-" - -
[02/Oct/2014:16:33:39 +0000] "GET" "GET /tools/info.php HTTP/1.1&" "&"
200 74249 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0" pid=25180 tid=2846788416 time_ms=10079
The log format for that is:
"%h %a %{c}a xf=\"%{X-Forwarded-For}i\" %l %u %t \"%m\" \"%r&\"
\"%q&\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" pid=%{pid}P
tid=%{tid}P time_ms=%D"
I'll change the RemoteIPTrustedProxy to RemoteIPInternalProxy and
enable it and see what happens.
I think I may have been confused by the fact that the X-Forwarded-For
header was being removed... I assumed that meant that mod_remoteip was
trusting the IP address and actually using it.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJULX8/AAoJEBzwKT+lPKRYodwQALnN6a4eateTmFMUh5pBFFjy
IcgaNzLEVy8hbXZbitiSq5Hr1B/lQDDf5IYE80smW2njk9Y5nzFfifJ/c3Bv979b
67rkEg5EznreaKLKGQhGuLlY2jBtoNUGiiuPyBnbPF9ML+6C02Md7VKCxEcGcjLm
9l7yCy1e0QPd4g9wdyuFFfaSt7P83VLw8/D/GqJNlt2AbSD2iusTmZ+zGe8GCA8x
q/wFGm+/fGWhrD46oZCYUMUVpcqsSbu/ybaUZqXRmOYWsdH+NT5gK0RxwG+plUuF
Qy2kc6Ld0Pka79+lh4wrUhNYXgadw82tis+Q7A+zm2/wsqjyzb224XSdC1Aubcd8
U+ERcUn7ynI1lflOQyMvmIR0f+492Okgu/Teek4HeUz4pFQE6ftJ4Hiffhkhlv4A
ld/Uq6u9IDpp/BuEs5I73Z5XtY0Dw4kiA41jihKFoo8ap2FHfRJAHVsMobdwpSS5
xwU3Pd4ETCU8dM0tr6QwT0rsi0ugXIEwzB8U4wKszUEv6TDPhnbuudl6OIIFpfi3
2E6dZGXTIDrzbji3bECF/KKu/BgzFRrnkuyOmUAV2j+lMxPPHzRL9kk5QDTrTa/+
NKcPugDB8MG4DM0+boeMZijQ3rLQxYTdA7nmn1cezJ9bOnkKinlfBCiWOZIuXLSq
r64y5KxPAkBGsXXjmOxQ
=eLSS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|