/ Zope / Apsis / Pound Mailing List / Archive / 2007 / 2007-01 / IP logging on BackEnd servers;

[ << ] [ >> ]

[ Pound2.2.1. Data are canceld during communication ... ] [ Pound 2.2.3 - LogLevel ignored? / Jens ... ]

IP logging on BackEnd servers;
Adam Lis <adam.lis(at)gmail.com>		 2007-01-19 23:09:33 [ SNIP ] 
Hi!

It's my first time posting to Pound user's group - as far as I remember.

I've read thread regarding passing extra headers do backend servers:
http://www.apsis.ch/pound/pound_list/archive/2005/2005-01/1106310302000

<cite>
we get around this problem by letting pound inject an additional custom
header. just add a line to http.c such as:

          /* put additional client IP header */
          BIO_printf(be, "X-Forwarded-For: %s\r\n", inet_ntoa(from_host));
+        BIO_printf(be, "REAL_REMOTE_ADDR: %s\r\n", inet_ntoa(from_host));

[...]
</cite>

I have a piece of software - designed in PHP - for which I do not have
modify rights. It may sound silly, but I see sources and can't modify.
Software makes it's own statistics per host. It is complicated issue
which deals with legal regulations - this software MUST log requests.

I'd like to use Pound to manage virtual hosts - direct some requests to
Apache which carries this software and some other requests to other
web servers running locally. Also to add SSL to some virtual hosts (even
if certificate checks fails). Also to deal with 'emergency backend'.

The easiest option: I'd need to modify Pound source as shown above and
add some extra headers - e.g. my_extra_header. Then I would need to
modify my software source (for which I have no rights to modify) and
copy my extra header to $_SERVER['remote_addr']. It's the easiest
because I wouldn't need to deep modify source - just need to add one
line on the top of the source.

My question is: does anyone use something like that? Any problems?
Assuming that PHP application calls $_SERVER['remote_addr'] only in
order to prepare database log entry: would it be safe to change this
$_SERVER entry? Maybe PHP uses this value for itself?

Adding personal headers was placed at wishlist in 2005. Is there
already support in current (2.2.x) version or I still would need
to modify source?

Thanks
AdamLis;
Re: [Pound Mailing List] IP logging on BackEnd servers;
Sean Gabriel Heacock <gabriel(at)korsoft.com>		 2007-01-20 01:13:38 [ SNIP ] 
Adam, would this apache module help you?

http://stderr.net/apache/rpaf/

With that your $_SERVER['REMOTE_ADDR'] will have the same address as
X-Forwarded-For, instead of the Pound IP.
Re: [Pound Mailing List] IP logging on BackEnd servers;
Adam Lis <adam.lis(at)gmail.com>		 2007-01-24 19:06:59 [ SNIP ] 
Sean Gabriel Heacock napisał(a):
> Adam, would this apache module help you?
> 
> http://stderr.net/apache/rpaf/
> 
> With that your $_SERVER['REMOTE_ADDR'] will have the same address as
> X-Forwarded-For, instead of the Pound IP.
> 
> 

Hi!

mod_rpaf works fine! Thanks for advice!

AdamLis;
Re: [Pound Mailing List] IP logging on BackEnd servers;
"Adam Lis" <adam.lis(at)gmail.com>		 2007-01-26 12:22:13 [ SNIP ] 
07-01-24, Adam Lis <adam.lis(at)gmail.com> napisał(a):
> Sean Gabriel Heacock napisał(a):
> > Adam, would this apache module help you?
> >
> > http://stderr.net/apache/rpaf/
> >
> > With that your $_SERVER['REMOTE_ADDR'] will have the same address as
> > X-Forwarded-For, instead of the Pound IP.
> >
> >
>
> Hi!
>
> mod_rpaf works fine! Thanks for advice!
>
>

Well, in fact there is problem. I load some apache modules - I guess
in alphabetical order. Among modules two are interesting ones:
authz_host.load
rpaf.load

Fragment of my virtualhost configuration file:

        <IfModule mod_rpaf.c>
        RPAFenable On
        RPAFsethostname On
        RPAFproxy_ips 127.0.0.1
        </IfModule>

        <Directory /srv/www/somewhere/>
                Options FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from some.net/24
        </Directory>

Directive "allow" doesn't work since request address is 127.0.0.1

TIA
AdamLis
Re: [Pound Mailing List] IP logging on BackEnd servers;
Adam Lis <adam.lis(at)gmail.com>		 2007-01-28 02:24:13 [ SNIP ] 
Adam Lis napisał(a):

> Well, in fact there is problem. I load some apache modules - I guess
> in alphabetical order. Among modules two are interesting ones:
> authz_host.load
> rpaf.load
> 
> Fragment of my virtualhost configuration file:
> 
>        <IfModule mod_rpaf.c>
>        RPAFenable On
>        RPAFsethostname On
>        RPAFproxy_ips 127.0.0.1
>        </IfModule>
> 
>        <Directory /srv/www/somewhere/>
>                Options FollowSymLinks MultiViews
>                AllowOverride None
>                Order allow,deny
>                allow from some.net/24
>        </Directory>
> 
> Directive "allow" doesn't work since request address is 127.0.0.1

Hi!

I have made some investigation. Noone seems to report similar problem.
Documentation for mod_rpaf says that change is visible to other modules.

There is possible workaround using mod_setenvif. Below directive:

Order allow,deny
allow from 83.14.0.0/24

doesn't work with rpaf, but it can be easily changed to:

SetEnvIf Remote_Addr "^83\.14\." GrantAccessModified
Order allow,deny
allow from env=GrantAccessModified

which seems to work fine. Should I report problem with mod_authz_host?

Regards;
AdamLis;
MailBoxer