Already enabled x-forwarded for in haproxy, but mod_remoteip 2.2 backport still doesn't work

Question

I'm using haproxy to forward requests to Apache 2.2 bundled with modsecurity 2.7 and OWASP_CRS. I have enabled insertion of the X-Forwarded-For header in the haproxy config:

defaults:
option forwardfor except 127.0.0.1 header X-Forwarded-For

In mod_audit.log the real ip address is shown in X-Forwarded header:

--06f84712-B--
GET /item/820 HTTP/1.1
Host: myownsite.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
From: googlebot(at)googlebot.com
Accept-Encoding: gzip,deflate
User-Agent: ......
X-Forwarded-For: 66.249.35.164
Connection: close

but in error_log file, all of the logs still have my server IP logged instead of the real client IP:

    [Fri Oct 23 12:55:57 2015] [error] [client mylocalIPAddress] 
ModSecurity: Access denied with code 403 (phase 2). 
Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:type. 
[file "/etc/httpd/crs-tecmint/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "301"] [id "973300"] [rev "2"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "Matched Data: <div> found within ARGS:page_type: <div>"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "myownsite"] [uri "/item/31"] [unique_id "Vim93dj1xSwAAFZ0AKoAAAAB"]

I have enabled the mod_remoteip-httpd22 module but no real clients' IPs have been logged in the error_log file. Can anyone tell me if there is something missing?

Here's the config for mod_remoteip

LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1

Answer 1

I've pinned down the problem after hours of trying to understand how these things work.

In haproxy config, I found that the IP from the backend apache isn't in accord with the mod_remote_ip setting.

backend apache2

    *****
                    // think of this ip as my real server ip
    server apache2 214.4.334.1:3001 weight 1 maxconn 1024 check

    *****

Instead, I should use 127.0.0.1 as the ip address:

backend apache2

    *****

    server apache2 127.0.0.1:3001 weight 1 maxconn 1024 check

    *****

When a request is forwarded to Apache by Haproxy, the mod_remote_ip would check whether the incoming IP is the proxy IP 127.0.0.1. If that is, it will use the IP in X-forwarded for instead in the error_log file.

[error] [client myrealIP] ModSecurity: Access denied with code 403