1

I'm having trouble getting OSX Server's Apache service proxy to preserve the client's IP address when forwarding traffic to a Go-based server that I wrote.

Since I have OSX Server's "Websites" feature turned off and want to leave it that way, I followed these instructions to proxy the traffic using the Service Proxy. The config file at /Library/Server/Web/Config/Proxy/apache_serviceproxy_customsites_ext.conf contains:

<VirtualHost *:443>
   ServerName my.host.com:443
   ProxyPreserveHost On
   SetEnv proxy-chain-auth on
   RequestHeader set X-Forwarded-Proto "https"
   RequestHeader set X-Forwarded-Port "443"
   RequestHeader unset Proxy early

    <IfModule mod_ssl.c>
       SSLEngine On
       SSLCertificateFile "/etc/letsencrypt/live/my.host.com/cert.pem"
       SSLCertificateKeyFile "/etc/letsencrypt/live/my.host.com/privkey.pem"
       SSLCertificateChainFile "/etc/letsencrypt/live/my.host.com/chain.pem"
       SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
       SSLProtocol -all +TLSv1.2
       SSLProxyEngine On
       SSLProxyProtocol -all +TLSv1.2
       SSLProxyCheckPeerCN off
       SSLProxyCheckPeerName off
    </IfModule>

    <IfModule mod_secure_transport.c>
       MSTEngine On
       MSTIdentity ${MST_IDENTITY}
       MSTCipherSuite HIGH, MEDIUM
       MSTProtocolRange TLSv1.2 TLSv1.2
       MSTProxyEngine On
       MSTProxyProtocolRange SSLv3 TLSv1.2
    </IfModule>

   ProxyPass /sub/ http://localhost:8080/
   ProxyPassReverse /sub/ http://localhost:8080/

   RewriteEngine on
   RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
   RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
   RewriteRule .* ws://localhost:8080%{REQUEST_URI} [P]

</VirtualHost>

After restarting the com.apple.serviceproxy.plist LaunchDaemon with launchctl, this works great! Traffic to https://my.host.com/sub/ gets routed to another service listening on :8080

However, all of the requests show the client's IP address as ::1. Even the X-Forwarded-For header contains ::1, and when I do tail -f /var/log/apache2/service_proxy_access.log all of the requests are logged like this:

my.host.com "my.host.com" ::1 - - [26/Mar/2018:10:13:34 -0700] "GET /sub/ HTTP/1.1" 200 8164 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

I'm not super familiar with Apache or OSX Server. Is there some configuration I need to enable or fix to get the real client's IP address? Is there some OSX Server component that I'm not thinking with?

Matt Mc
  • 111
  • 3
  • Is your `client` the same computer that's running the app? I only ask because `::1` is the localhost/loop address in IPv6. – shinjijai Mar 26 '18 at 17:43
  • Is that log from your application? It's not clear what created the log entry. – Michael Hampton Mar 26 '18 at 17:50
  • This might be relevant: https://stackoverflow.com/a/8276550/799927 – Andrew Mar 26 '18 at 17:55
  • @shinjijai It's not the same computer. However, further investigation has revealed that this server is behind a `socat` command, piping TCP traffic between two ports on the computer, and this might be causing all traffic to appear as coming from localhost. :( – Matt Mc Mar 26 '18 at 18:54
  • @MichaelHampton The log entry is in `/var/log/apache2/service_proxy_access.log` and seems to be created by the Apache service proxy. – Matt Mc Mar 26 '18 at 18:54

0 Answers0