X-Forward-For in ssl_access_log / apache behind WAF

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello together
I'm a little bit confused about manipulation ssl_access_log to get the X-Forward-For IP but not the "WAF/Proxy" IP.
(sorry for that long text...)

# Settings:
rhel 7.3
apache 2.4.6 
Redirect: apache redirect (nearly) everthing to https

- Apache is behind a Web Application Firewall (WAF). The WAF acts like a reverse proxy I think.
- the WAF do only https but let pass through X-Forward-For information
- The WAF (or some server via the WAF) do health checks and I don't whant to log them.
- The Health checks "source" IP's are WAF IPs (maybe a Cluster):
  WAF-IP1:  1.2.3.1
  WAF-IP2:  1.2.3.2 

# apache ssl.conf:

<VirtualHost _default_:443>
...
LogLevel info ssl:warn

        #part 1:
        LogFormat "%l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
        CustomLog "logs/ssl_access_log" combined env=!forwarded
        CustomLog "logs/ssl_access_log" proxy env=forwarded

        #part 2:
        SetEnvIf Remote_addr  ("1\.2\.3\.1"|"1\.2\.2\.2") waf
        CustomLog "logs/ssl_access_log" proxy env=!waf
...
</VirtualHost>


# ssl_acces_log:
-> part 1. is ok (your see the X-Forward-IP and WAF IP)
78.51.212.20 1.2.3.1 - - [05/Oct/2017:10:58:05 +0200] "GET /asdf/authorize?response_type=code&dddcasdf1&scope=oertz&redirect_uri=https://www.somethere.de/customers/83483227272 HTTP/1.1" 200 1576 "https://www.somethere.de/"; "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"

-> part 2. is not ok. I can't stop the logging of health checks coming from 1.2.3.1/1.2.3.2. Allthough they are logged twice.
1.2.3.1 - - [05/Oct/2017:10:58:07 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.1 - - [05/Oct/2017:10:58:07 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.2 - - [05/Oct/2017:10:58:08 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.2 - - [05/Oct/2017:10:58:08 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.1 - - [05/Oct/2017:10:58:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.1 - - [05/Oct/2017:10:58:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
1.2.3.2 - - [05/Oct/2017:10:58:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 1.2.3.2 - - [05/Oct/2017:10:58:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"

Hopfully sombody can see the problem / find a solution

many thanks
marc




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux