Gustaf Neumann of xotcl writes:
We are starting to use oacs with a reverse proxy
pound
http://www.apsis.ch/pound/
to distribute our server load. As a consequence, the
aolserver writes into its access log file always the
address of the proxy, and not the address of the client.
The reverse proxy adds an additional header field,
called
X-Forwarded-For, which can be used to determine
the client on the back end.
Below is a simple and trivial change to nslog.c which
checks for the existance of this tag and writes its
value (if given) instead of the peer IP address (of the
proxy) into the log file.
I am pretty sure that it does not hurt anybody and i
think this is a useful feature when load balancers etc.
are used. Maybe this small change can find trhough
you the way into the source tree.
==========================================================================
--- nslog.c~ 2003-01-31 13:50:07.000000000 +0100
+++ nslog.c 2003-07-11 17:51:41.000000000
+0200
@@ -257,7 +257,12 @@
* Append the peer address and auth user (if any).
*/
- Ns_DStringAppend(&ds, Ns_ConnPeer(conn));
+ if ((p = Ns_SetIGet(conn->headers,
"X-Forwarded-For"))) {
+ Ns_DStringAppend(&ds, p);
+ } else {
+ Ns_DStringAppend(&ds, Ns_ConnPeer(conn));
+ }
+
if (conn->authUser == NULL) {
Ns_DStringAppend(&ds, " - - ");
} else {
==========================================================================
Logged In: YES
user_id=95086
Included in the current CVS HEAD.
Closing this one now.
Logged In: YES
user_id=21885
What happens for all the folks who aren't running with a
reverse proxy and if a malicious user wants to hand-craft a
HTTP request with the X-Forwarded-For header supplying a
bogus IP address (like 0.0.0.0 or 127.0.0.1) or impersonate
some other IP address?
I don't immediately see any /security/ risks here but I'd be
concerned. Perhaps this is a feature that needs to be
enabled as a ns_param to the nslog module, so you'd only
enable it for servers that are behind a reverse proxy you
control.
Any thoughts?
-- Dossy
Logged In: YES
user_id=95086
Well, there is nothing wrong with doing this configurable over the
ns_param in the config file.
I'll add this in. Any ideas how to name the param?
Logged In: YES
user_id=21885
I'd name it "always_log_peer_ip" and it would default to true
(which is the current pre-patch behavior). Setting it to false
would use the X-Forwarded-For header, if it was set.
-- Dossy
Logged In: YES
user_id=440916
Zoran,
This patch doesn't really work correctly.
I haven't had time to look closely but it appears that the
forwarded for is being appended to the reverse proxy ip.
Of course I could have Squid setup wrong but my logs show
this:
192.168.1.12forwardedaddress........
Logged In: YES
user_id=4491
For one of my sites, I had my own patch to AOLserver 3.4.2's
nslog where I added an extra parameter,
ns/parameters/proxynetwork. This was usually set to 10.*,
the network where Pound requests come from in my setup, and
my nslog.c patch would match the peer address against the
proxynetwork parameter. It would only change the logged peer
address to X-Forwarded-For's value if there was a match.