Mailing List Archive

Sending client's IP address to local proxied application server.
Hi all,

I've got an application server, written in Perl Dancer2, that needs to get
access to the client's actual IP address. But instead, it's getting the IP
address of the apache server.
Both the Apache and application server are running on the same hardware.

Here is how I have the vhost defined: (sanitized)

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/www.example.com/WWW.EXAMPLE.COM.crt
SSLCertificateKeyFile /etc/ssl/www.example.com/server.key
SSLCertificateChainFile /etc/ssl/
www.example.com/OV_NetworkSolutionsOVServerCA2.crt

ServerAdmin webmaster@localhost
ServerName example.com
ServerAlias www.example.com *.example.com
DocumentRoot /web/hw/
DirectoryIndex index.cfm
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

<Location "/apps/">
ProxyPass "http://127.0.0.1:8080/apps/"
</Location>

</VirtualHost>

I have mod_remoteid installed and configured:

root@example.com:/etc/apache2# cat conf-enabled/remoteip.conf

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 127.0.0.1 198.101.193.34

But when I access a URL that runs on the app server, the app server gets
127.0.0.1 as the client's address.

Looking at the HTTP headers doesn't yield the correct results, either:


accept ->
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-encoding -> gzip, deflate, br
accept-language -> en-US,en;q=0.5
connection -> Keep-Alive
host -> 127.0.0.1:8080
upgrade-insecure-requests -> 1
user-agent -> Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0)
Gecko/20100101 Firefox/81.0
x-forwarded-for -> 198.101.193.34
x-forwarded-host -> www.example.com
x-forwarded-server -> example.com


The value of the x-forwarded-for header is the outside interface on the
Apache server, NOT the client's address.

What have I done wrong?

Thanks in advance,

Mike.
Re: Sending client's IP address to local proxied application server. [ In reply to ]
> root@example.com:/etc/apache2# cat conf-enabled/remoteip.conf
>
> RemoteIPHeader X-Forwarded-For
> RemoteIPTrustedProxy 127.0.0.1 198.101.193.34

I think these need to be
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipinternalproxy

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Sending client's IP address to local proxied application server. [ In reply to ]
Well, I changed my remoteip.conf file to contain:

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1 198.101.193.34

But that didn't change anything.

Any other ideas?

Mike.

On Fri, Oct 16, 2020 at 2:23 PM Eric Covener <covener@gmail.com> wrote:

> > root@example.com:/etc/apache2# cat conf-enabled/remoteip.conf
> >
> > RemoteIPHeader X-Forwarded-For
> > RemoteIPTrustedProxy 127.0.0.1 198.101.193.34
>
> I think these need to be
>
> https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipinternalproxy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
RE: Sending client's IP address to local proxied application server. [ In reply to ]
ProxyPreserveHost On (it is set off by default) will preserve incoming Host header. For IP, you could use a custom header using %{REMOTE_ADDR}as the value.

Best Regards,

Rob DICKEY

Americas R&D Technical Customer Support Senior Manager



rob.dickey@3ds.com <mailto:Rob.DICKEY@3ds.com>
3DS.COM <http://www.3ds.com/>

[cid:image002.png@01D6A3B6.D2A6F220]

DS Americas Corp. | 523 W 6th Street | Los Angeles, CA 90014 | United States


From: Mike Diehl <mdiehlenator@gmail.com>
Sent: Friday, October 16, 2020 11:35 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Sending client's IP address to local proxied application server.



EXTERNAL EMAIL : The sender of this email is external to 3DS. Be wary of the content and do not open unexpected attachments or links. Original email starts after the REPORT SPAM banner.




REPORT THIS EMAIL AS SPAM : Click here<https://spam-report.3ds.com/?link=%3ca%20href=%22https://www.mailcontrol.com/sr/-xGF7Es-olfGX2PQPOmvUgofk55GphrML9VyGxAFs3k33OuVtW-WqD8dLOhpeJg67wLZt6gch7BOzrnJmt4uGw==%22%3ehere%3c/a%3e> (no login or additional action will be requested).



Well, I changed my remoteip.conf file to contain:

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1 198.101.193.34

But that didn't change anything.

Any other ideas?

Mike.

On Fri, Oct 16, 2020 at 2:23 PM Eric Covener <covener@gmail.com<mailto:covener@gmail.com>> wrote:
> root@example.com:/etc/apache2#<mailto:root@example.com:/etc/apache2> cat conf-enabled/remoteip.conf
>
> RemoteIPHeader X-Forwarded-For
> RemoteIPTrustedProxy 127.0.0.1 198.101.193.34

I think these need to be
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipinternalproxy

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<mailto:users-unsubscribe@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org<mailto:users-help@httpd.apache.org>

This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com>


For other languages, go to https://www.3ds.com/terms/email-disclaimer
Re: Sending client's IP address to local proxied application server. [ In reply to ]
Well, I added this to the vhost definition:

ProxyPreserveHost On
RemoteIPHeader X-Forwarded-For



Now I'm getting the web server's outside IP address as the value of the
x-forwarded-for header. This is progress, but not quite what I need. I
need the original client's IP address before the request gets proxied to my
application server.

Any other ideas?

Thanks in advance,

Mike.


On Fri, Oct 16, 2020 at 3:21 PM DICKEY Rob <Rob.DICKEY@3ds.com> wrote:

> ProxyPreserveHost On (it is set off by default) will preserve incoming
> Host header. For IP, you could use a custom header using %{REMOTE_ADDR}as
> the value.
>
>
>
> Best Regards,
>
>
>
> Rob DICKEY
>
> Americas R&D Technical Customer Support Senior Manager
>
> rob.dickey@3ds.com <Rob.DICKEY@3ds.com>
>
> *3DS.COM* <http://www.3ds.com/>
>
> *DS Americas Corp.* | *523 W 6th Street | Los Angeles, CA 90014 | United
> States *
>
>
>
> *From:* Mike Diehl <mdiehlenator@gmail.com>
> *Sent:* Friday, October 16, 2020 11:35 AM
> *To:* users@httpd.apache.org
> *Subject:* Re: [users@httpd] Sending client's IP address to local proxied
> application server.
>
>
>
> *EXTERNAL EMAIL :* The sender of this email is external to 3DS. Be wary
> of the content and do not open unexpected attachments or links. Original
> email starts after the REPORT SPAM banner.
>
>
>
> *REPORT THIS EMAIL AS SPAM :* Click here
> <https://spam-report.3ds.com/?link=%3ca%20href=%22https://www.mailcontrol.com/sr/-xGF7Es-olfGX2PQPOmvUgofk55GphrML9VyGxAFs3k33OuVtW-WqD8dLOhpeJg67wLZt6gch7BOzrnJmt4uGw==%22%3ehere%3c/a%3e>
> (no login or additional action will be requested).
>
>
>
> Well, I changed my remoteip.conf file to contain:
>
>
>
> RemoteIPHeader X-Forwarded-For
> RemoteIPInternalProxy 127.0.0.1 198.101.193.34
>
>
>
> But that didn't change anything.
>
>
>
> Any other ideas?
>
>
>
> Mike.
>
>
>
> On Fri, Oct 16, 2020 at 2:23 PM Eric Covener <covener@gmail.com> wrote:
>
> > root@example.com:/etc/apache2# <root@example.com:/etc/apache2> cat
> conf-enabled/remoteip.conf
> >
> > RemoteIPHeader X-Forwarded-For
> > RemoteIPTrustedProxy 127.0.0.1 198.101.193.34
>
> I think these need to be
>
> https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipinternalproxy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> This email and any attachments are intended solely for the use of the
> individual or entity to whom it is addressed and may be confidential and/or
> privileged.
>
> If you are not one of the named recipients or have received this email in
> error,
>
> (i) you should not read, disclose, or copy it,
>
> (ii) please notify sender of your receipt by reply email and delete this
> email and all attachments,
>
> (iii) Dassault Systèmes does not accept or assume any liability or
> responsibility for any use of or reliance on this email.
>
> Please be informed that your personal data are processed according to our
> data privacy policy as described on our website. Should you have any
> questions related to personal data protection, please contact 3DS Data
> Protection Officer at 3DS.compliance-privacy@3ds.com
>
>
> For other languages, go to https://www.3ds.com/terms/email-disclaimer
>
Re: Sending client's IP address to local proxied application server. [ In reply to ]
On Fri, Oct 30, 2020 at 9:04 PM Mike Diehl <mdiehlenator@gmail.com> wrote:
>
> Well, I added this to the vhost definition:
>
> ProxyPreserveHost On
> RemoteIPHeader X-Forwarded-For
>
> Now I'm getting the web server's outside IP address as the value of the x-forwarded-for header. This is progress, but not quite what I need. I need the original client's IP address before the request gets proxied to my application server.
>
> Any other ideas?

You need to tell the proxy itself to add the X-Forwarded-* headers,
using ProxyAddHeaders ([1]).
So your <Location> section could be something like:

<Location "/apps/">
ProxyPass "http://127.0.0.1:8080/apps/"
ProxyAddHeaders on
</Location>

Regards;
Yann.

[1] https://httpd.apache.org/docs/2.4/en/mod/mod_proxy.html#proxyaddheaders

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org