Re: [mod-security-users] Using X-Forwarded-For as the source address?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Am 19.03.2013 18:26, schrieb Michael Henry:
> Pardon me if I missed the obvious, but I spent some time searching around, reading documentation, and even checking
> the mod-security-users archive and I missed it.
> 
> Is there any way to set modsecurity 2 to use X-Forwarded-For as the source address?
> 
> My servers are behind a proxy (appliance, unfortunately), so all the source IP's look the same.  It's an easy fix
> for access logs, but I'm failing to figure it out for modsecurity.
> 
> Anyone have suggestions?

look below

hopefully this will be soon fixed because it is
the last showstopper prevent me from update to
Apache 2.4 behind a trafficserver and i can not
deal with USERAGENT_IP in a production environment
with distributed configurations and a temporary
mix of Apache 2.2 / 2.4 and a year after Apache 2.4
was released this should be really support mod_remoteip
in a clean way

[root@srv-rhsoft:~]$ cat /etc/httpd/conf/httpd-remoteip.conf
# thelounge.net distributed config
<IfVersion >= 2.4>
 LoadModule             remoteip_module "modules/mod_remoteip.so"
 RemoteIPHeader         X-Forwarded-For
 RemoteIPInternalProxy  127.0.0.1 91.118.73.4
 RemoteIPProxiesHeader  X-Forwarded-For
</IfVersion>
<IfVersion < 2.4>
 LoadModule             rpaf_module "modules/mod_rpaf-2.0.so"
 RPAFenable             On
 RPAFproxy_ips          127.0.0.1 91.118.73.4
 RPAFsethostname        Off
 RPAFheader             X-Forwarded-For
</IfVersion>

-------- Original-Nachricht --------
Betreff: 	Re: [mod-security-users] REMOTE_ADDR / Apache 2.4 and mod_remoteip
Datum: 	Tue, 29 Jan 2013 09:16:28 -0200
Von: 	Breno Silva <bre...@gm...>
An: 	Reindl Harald <h.r...@th...>
Kopie (CC): 	Mailing-List mod_security <mod...@li...>

Yes. We still have a ticket for this. I will work on it later.

You can use now the variable USERAGENT_IP instead of REMOTE_ADDR.

Thanks

Breno

On Tue, Jan 29, 2013 at 8:55 AM, Reindl Harald <h.r...@th... <mailto:h.r...@th...>> wrote:

    i overlooked the 2.7.2 release

    2.7.2:
    * Fixed mod_security displaying wrong ip address in error.log using apache 2.4 and mod_remoteip

    logging is now as expected but rules with REMOTE_ADDR in
    context of "mod_remoteip" does not work
    ___________________________________________________

    SecRule REMOTE_ADDR "^10\.0\.0\.99" "id:'117',phase:1,nolog,allow,ctl:ruleEngine=off"

    [Tue Jan 29 11:50:28.170865 2013] [:error] [pid 3931] [client 10.0.0.99] ModSecurity: Access denied with code 404
    (phase 2). Matched phrase "nessus" at REQUEST_HEADERS:User-Agent. [file
    "/etc/httpd/modsecurity.d/modsecurity_35_bad_robots.conf"] [line "3"] [id "990002"] [msg "Bad Robot"] [hostname
    "proxy.test.rh"] [uri "/show_content.php"] [unique_id "UQepdAoAAGMAAA9bSW8AAAAE"]
    ___________________________________________________

    10.0.0.99 is logged but i have to use the proxy-ip 10.0.0.103 in the
    whitelisting (rule id 117) which is not the intention of it - can we
    please have this fixed too?