I'm new to Pound and evaluating it in order to switch from a single www-server
design to the pound approach.

I wonder how to solve the issue that the logfiles on the backend-server sees
only the IP of the Pound-Server.

My thought is to use the BackEnd Servers for logging while turning off logging
on the Pound-Server.
This seems to be a good idea because it helps to keep the bottleneck
(Pound-Server) cool.

My problems is, that this will take away the original IP numbers from the
requests that were "forewareded" to the back-End-Servers.

Any idea on this topic?
[...]

If you are using apache as web server, add simply this field into log 
format:
\"%{X-Forwarded-for}i\"
Then you can adjust log files with a tool as "awk".

Bye
Lorenzo Grio

On Fri, 21 Jan 2005 14:18:56 +0100, Lorenzo Grio <grio(at)katamail.com>
wrote:[...]

This is what I am doing as well. In doing this, I learned something
along the way that I'd like to share. (But do correct me if I'm
wrong.)

The X-Forwarded-for field is not guaranteed to be the address of the
host connecting to Pound. Ultimately, X-Forwarded-for's value is just
a text string which *by convention* is an IP address -- but nothing's
stopping someone from sending an HTTP request with gibberish in the
X-Forwarded-for field. Pound complies with the conventions and adds
the field if it doesn't exist, or augments its value if it exists in
the original request. For example:

  % telnet mywebserver.com 80
  Trying 1.2.3.4...
  Connected to mywebserver.com.
  Escape character is '^]'.
  GET /robots.txt HTTP/1.1
  Host: mywebserver.com
  X-Forwarded-for: foobar fnord haha
  
  HTTP/1.1 200 OK
  ...

The entry in my Apache generated access log reads:

  foobar fnord haha, 1.2.3.5 - - [21/Jan/2005:08:34:59 -0800] "GET
/robots.txt HTTP/1.1" 200 1733

More to the point, in some situations (and I've seen this a number of
times since activating Pound ~1 month ago), it will be a
comma-seperated list of IP addresses like "1.2.3.4, 4.5.6.7" which, by
convention, indicates that the request was routed through one or more
proxy servers which annotated the HTTP request.

Another gotcha of the X-Forwarded-for address is that, since it's a
field in the HTTP request Apache doesn't recognize it as an IP address
(it's just a string) and thus doesn't resolve the address to a
hostname. So your logs will at best contain numeric addresses (unless
Apache has a hook that I'm not aware of.)

The awk script that Lorenzo suggests (I think) could be used for
post-processing that resolves the IP address to a hostname, if such is
your logging inclination.

But any post-processing script used should be conservative with what
it finds in the X-Forwarded-for field, and not break if it encounters
gibberish like "foobar fnord haha". I think it using the rightmost IP
address in that field is a safe bet since that's what Pound adds.

I've also read about a "Via:" HTTP field that serves a similar
purpose, but I can't find a lot of information on it -- it's a tough
Google searchterm :)

-Michal

Am Freitag, 21. Januar 2005 17:53 schrieb Michal:[...]

we get around this problem by letting pound inject an additional custom 
header. just add a line to http.c such as:

         /* put additional client IP header */
         BIO_printf(be, "X-Forwarded-For: %s\r\n", inet_ntoa(from_host));
+        BIO_printf(be, "REAL_REMOTE_ADDR: %s\r\n", inet_ntoa(from_host));

[...]

I would suggest to do the resolving as a postprocessing batch job, to not slow 
apache down on waiting on dns queries. apache comes with "logresolve" to do 
this, and there are lots of similar tools around (we use logresolvemerge.pl 
that comes with awstats).


Hope it helps,

Sascha

> The X-Forwarded-for field is not guaranteed to be the address of the[...]

To make sure your headers contain the content you want, you can use:

HeadRemove "(X-Forwarded-For|X-SSL-Connect)"

If you do not need to check if the connection is SSL-encrypted, you
can omit the later one.

This of course rises another problem in case you would need to analyze
the real X- Headers of the request.
[...]

Sascha Ottolski wrote:
[...]
This is very nice!

It would be nice if this was added to official pound along with these 
options to control it:
1.   pound.cfg setting to specify whether to *append* or *replace* or 
*do nothing" to existing values (if any) of this custom header
2.   pound.cfg setting to specify the custom header text for this. ie. 
'REAL_REMOTE_ADDR'

If you or I (or anyone else) implements these features, it would 
probably be simple enough to be distributed as a 'diff -ruN' patch.

On Monday 24 January 2005 02:54, FX wrote:[...]

This might be a slight misunderstanding of how the headers work. As a request 
comes in (with one or more X-Forwarded-for headers already in place) a new 
header is appended. This is the exact equivalent of appending to a 
comma-separated list of values - at least according to the RFCs. So, to take 
your three operations:

- append is exactly what happens
- do nothing is the same as append (the original headers are not changed), 
unless you mean Pound should not add its own headers. Not really nice and not 
conforming to normal practice.
- replace: put a HeaderRemove "X-Forwarded-for" in your config. The original 
headers will be removed and Pound will append its own header. Possible, but 
you loose some information.
[...]

Interesting idea, but is it worth the extra complication? I mean that as a 
real question, not a rejection.
[...]
[...]

Robert Segall wrote:
[...][...]
>>>header. just add a line to http.c such as:
>>>
>>>        /* put additional client IP header */
>>>        BIO_printf(be, "X-Forwarded-For: %s\r\n",
inet_ntoa(from_host));
>>>+        BIO_printf(be, "REAL_REMOTE_ADDR: %s\r\n",
inet_ntoa(from_host));
>>>      
>>>[...][...][...][...]

The ability to specify the custom header text would be benificial and 
worth the effort.  For example, when chaining traffic thru multiple 
pound servers:

Hosted www server (pound) => gateway/router (pound) => private lan 
server (pound optional)

Using pound.cfg, we can identify each pound server which guarantees that 
the value contains only the remote ip directly accessing that pound server:
"Pounded-by-www-for:"
"Pounded-by-gateway-for:"
"Pounded-by-...-for:"

And X-Forwarded-for can be left alone so we can track the sequence.  And 
if people want a single 'Pounded-for' list, they can specify the same 
value in each pound.cfg.

On Wednesday 26 January 2005 14:57, FX wrote:[...]

OK, it goes on the wish list.[...]