Client IP behind SQUID on Apache Reverse Proxy

Client IP behind SQUID on Apache Reverse Proxy

am 02.12.2009 13:38:44 von candrecn

Hi ppl,

I'm getting headaches^3 coz logging in my scenario...

There is:
Client/HTTPS(172.16.0.101) -> SQUID/HTTPS (172.16.0.31) -> Reverse
Proxy (Apache, SSL-out, 172.16.0.50) -> WebServers/HTTP (172.16.0.60)

I need 2 things (for logging purposes):
1) Send IP of client to WebServers. There anyway to make Apache get
"X-Forwarded-For" value from SQUID, and forward it on Apache
X-Forwarded-For header to WebServers instead to put SQUID IP on
X-Forwarded-For and forward it to WebServers? Better, just do it if
"IP = known proxy IP" like I do on logging below?
Something like:
SQUID Header:
X-Forwarded-For: 172.16.0.101
Reverse Proxy Header:
X-Forwarded-For: 172.16.0.101 (NOT 172.16.0.31 IF "172.16.0.31=known
proxy IP" [to avoid spoofing...])

2) Log Client IP on Reverse Proxy (on access / error / modsecurity
logs). I made some changes on httpd.conf without expected results:
------------------------------------------------------------ ----------------------
SetEnvIf Remote_Addr 172\.25\.136\.31 PROXY=1
LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\"
\"%{User-agent}i\"" combined_forwarded
CustomLog /var/log/httpd/combined-access.log combined env=!PROXY
CustomLog /var/log/httpd/combined_forwarded-access.log
combined_forwarded env=PROXY
------------------------------------------------------------ ----------------------
With this conf, if client try access any webserver behind RP, RP logs
SQUID IP on "combined_forwarded-access.log" instead Client IP, *BUT*
if client access html root directory (for example) of Reverse Proxy it
logs real client IP on "combined_forwarded-access.log" :(


Thanks :)

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org