2

I'm using mod-rpaf with Apache 2.4 and it's working properly (showing the real client IP's) in my Apache access_log... but not in my error_log. My error log just shows the client IP address of the proxy server (my load balancer in this case)

Here's an example of what I see in my error_log where 123.123.123.123 is the IP of my load balancer/proxy.

==> /usr/local/apache2/logs/error_log <== [Tue Jun 05 20:24:31.027525 2012] [access_compat:error] [pid 9145:tid 140485731845888] [client 123.123.123.123:20396] AH01797: client denied by server configuration: /wwwroot/private/secret.pdf

The exact same request produces the following in my access_log where 456.456.456.456 is a real client IP (not the IP of the load balancer).

456.456.456.456 - - [05/Jun/2012:20:24:31 +0000] "GET /wwwroot/private/secret.pdf HTTP/1.1" 403 228 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0"

Here's my httpd.conf entry:

# RPAF
LoadModule rpaf_module  modules/mod_rpaf-2.0.so
RPAFenable On
RPAFproxy_ips 127.0.0.1 123.123.123.123
RPAFsethostname On
RPAFheader X-Forwarded-For

What do I need to do to get the real IP addresses showing in my Apache error_log?

user9517
  • 114,104
  • 20
  • 206
  • 289
Camden S.
  • 230
  • 2
  • 7
  • Are you *sure* those two logs are representing the same request? The timestamps are nearly five minutes apart, not to mention the URI and paths don't match. – Ladadadada Jun 05 '12 at 21:45
  • Ah, thanks for catching that - that was only a mistake in my copy/pasting of the example - I will correct the OP. But yeah - I've tested a couple more times to verify that it's showing the same request with different IPs. (The OP is now corrected) – Camden S. Jun 05 '12 at 21:59

2 Answers2

2

mod-rpaf requires just a minor change to the source to make it work with apache 2.4 which I found here http://vova-zms.blogspot.com/2012/07/install-modrpaf-with-apache-24.html

simply replace remote_ with client_ in mod_rpaf-2.0.c

also http://blog.77jp.net/mod_rpaf-install-apache-2-4

visualize the simple changes here: https://gist.github.com/teriyakisan/2716030

mod-remoteip is actually not as robust as mod-rpaf (yet)

There are improved copies of mod-rpaf around github too, like here https://github.com/y-ken/mod_rpaf/ which has https state support and removes some of the legacy support

ck_
  • 429
  • 7
  • 19
1

I thought that error log format looked strange and I didn't think there was any way to change it in 2.2 so I checked out the docs for 2.4.

It seems there is now an ErrorLogFormat directive and your error log is in the default format, which has been updated and significantly improved since 2.2.

Apache 2.4 now includes mod_remoteip which deprecates mod_rpaf. I suspect mod_rpaf has not been updated to work with Apache 2.4 and the ErrorLogFormat directive. The most recent version on the download page is from 2008.

You should use mod_remoteip instead of mod_rpaf with Apache 2.4.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • 2
    Perfect! I loaded up `mod_remoteip` and I'm in business! Initially after loading the module, the error_log was recording the real IP and the access_log was recording the proxy's IP (the opposite of my initial problem), but to fix that I just changed the default `LogFormat` directive to use the %a formatting string instead of the %h string -- and that set everything straight. So to summarize, 1) Uncomment the LoadModule line for mod_remoteip 2) Change the `LogFormat %h...` directive to be `LogFormat %a...` That's all there was to it. Thanks again. – Camden S. Jun 06 '12 at 01:10