mod-security-users

[mod-security-users] Using X-Forwarded-For as the source address?

[Michael H. <mh...@ne...>]

Pardon me if I missed the obvious, but I spent some time searching around,
reading documentation, and even checking the mod-security-users archive and
I missed it.

Is there any way to set modsecurity 2 to use X-Forwarded-For as the source
address?

My servers are behind a proxy (appliance, unfortunately), so all the source
IP's look the same.  It's an easy fix for access logs, but I'm failing to
figure it out for modsecurity.

Anyone have suggestions?

With respect,

Mike

Re: [mod-security-users] Using X-Forwarded-For as the source address?

[Reindl H. <h.r...@th...>]

Am 19.03.2013 18:26, schrieb Michael Henry:
> Pardon me if I missed the obvious, but I spent some time searching around, reading documentation, and even checking
> the mod-security-users archive and I missed it.
> 
> Is there any way to set modsecurity 2 to use X-Forwarded-For as the source address?
> 
> My servers are behind a proxy (appliance, unfortunately), so all the source IP's look the same.  It's an easy fix
> for access logs, but I'm failing to figure it out for modsecurity.
> 
> Anyone have suggestions?

look below

hopefully this will be soon fixed because it is
the last showstopper prevent me from update to
Apache 2.4 behind a trafficserver and i can not
deal with USERAGENT_IP in a production environment
with distributed configurations and a temporary
mix of Apache 2.2 / 2.4 and a year after Apache 2.4
was released this should be really support mod_remoteip
in a clean way

[root@srv-rhsoft:~]$ cat /etc/httpd/conf/httpd-remoteip.conf
# thelounge.net distributed config
<IfVersion >= 2.4>
 LoadModule             remoteip_module "modules/mod_remoteip.so"
 RemoteIPHeader         X-Forwarded-For
 RemoteIPInternalProxy  127.0.0.1 91.118.73.4
 RemoteIPProxiesHeader  X-Forwarded-For
</IfVersion>
<IfVersion < 2.4>
 LoadModule             rpaf_module "modules/mod_rpaf-2.0.so"
 RPAFenable             On
 RPAFproxy_ips          127.0.0.1 91.118.73.4
 RPAFsethostname        Off
 RPAFheader             X-Forwarded-For
</IfVersion>


-------- Original-Nachricht --------
Betreff: 	Re: [mod-security-users] REMOTE_ADDR / Apache 2.4 and mod_remoteip
Datum: 	Tue, 29 Jan 2013 09:16:28 -0200
Von: 	Breno Silva <bre...@gm...>
An: 	Reindl Harald <h.r...@th...>
Kopie (CC): 	Mailing-List mod_security <mod...@li...>



Yes. We still have a ticket for this. I will work on it later.

You can use now the variable USERAGENT_IP instead of REMOTE_ADDR.

Thanks

Breno

On Tue, Jan 29, 2013 at 8:55 AM, Reindl Harald <h.r...@th... <mailto:h.r...@th...>> wrote:

    i overlooked the 2.7.2 release

    2.7.2:
    * Fixed mod_security displaying wrong ip address in error.log using apache 2.4 and mod_remoteip

    logging is now as expected but rules with REMOTE_ADDR in
    context of "mod_remoteip" does not work
    ___________________________________________________

    SecRule REMOTE_ADDR "^10\.0\.0\.99" "id:'117',phase:1,nolog,allow,ctl:ruleEngine=off"

    [Tue Jan 29 11:50:28.170865 2013] [:error] [pid 3931] [client 10.0.0.99] ModSecurity: Access denied with code 404
    (phase 2). Matched phrase "nessus" at REQUEST_HEADERS:User-Agent. [file
    "/etc/httpd/modsecurity.d/modsecurity_35_bad_robots.conf"] [line "3"] [id "990002"] [msg "Bad Robot"] [hostname
    "proxy.test.rh"] [uri "/show_content.php"] [unique_id "UQepdAoAAGMAAA9bSW8AAAAE"]
    ___________________________________________________

    10.0.0.99 is logged but i have to use the proxy-ip 10.0.0.103 in the
    whitelisting (rule id 117) which is not the intention of it - can we
    please have this fixed too?