0

I have configured apache (version 2.4) reverse proxy to publish in our website an application installed in an internal server. All works fine, these are the lines that I added in proxy-html.conf:

ProxyPass /app/bpv0SOCPOkqptPqO6XsIvucLzO7QXJyA/ http://srvacg:9081/acgv4/

If I write this url http://www.mysite.com/app/bpv0SOCPOkqptPqO6XsIvucLzO7QXJyA/ I can login in my internal application and I can work with it.

The problem is that my application checks the client's IP address and allow only 1 connection at time for the same ip. With reverse proxy configured all the connections are done with the private ip of the server where apache is installed.

I tried to able mod_remoteip to solve this problem:

RemoteIPHeader X-Forwarded-For

But the result is always the same. This is apache access log: 

REMOTE-IP: %a - LOCAL-IP: %A | X-Forwarded-For: %{X-Forwarded-For}i | h: %h | UNDERLYING CLIENT IP: %{c}a |

REMOTE-IP: 217.57.XXX.XXX - LOCAL-IP: 192.168.89.3 | X-Forwarded-For: 217.57.XXX.XXX | h: 217.57.XXX.XXX | UNDERLYING CLIENT IP: 217.57.XXX.XXX |

217.57.XXX.XXX is the client ip, 192.168.89.3 is the internal ip and is the ip received by my application. I'm not able to know how it gets this information.

Can somebody help me?

mmorrisson
  • 541
  • 8
  • 19
fonta7
  • 64
  • 1
  • 4
  • Maybe you can simply extend your application for such cases? In case a X-Forwarded-For header is present, check that ip address instead of the normal request ip? – arkascha Oct 15 '12 at 14:51
  • Arkasha, sorry but i can't. The application is a managerial software and i can't put my hands on it! Thanks – fonta7 Oct 16 '12 at 15:32
  • Ok, whatever "managerial software" is, I understand that you are unable to modify its behaviour in that detail. I assume it is not possible to replace the proxy servers IP address by the initializing client address. Though it might be able to forge (or "construct") such packages: hopefully your firewall will block such requests, since they appear to come from an outside ip address... – arkascha Oct 16 '12 at 19:35

2 Answers2

1

If you cannot modify that application according to your requirements, then maybe you can wrap it?

If you can install an additional application, a trivial wrapper, not more than a simple script, you might be able to construct a workaround: configure the proxy server to forward all requests to that wrapper instead of the 'real' internal application. Then the wrapper could make an internal request on behalf of the proxy server, requesting the 'real' application the way the proxy (or client) would have done and forward the reply. The advantage: you might be able to construct a request that appears to originate from the original remote client ip which the wrapper can see as that additional header the proxy server adds. Since the request from wrapper to 'real' application is system internal, no packages move through the network, so nothing can be blocked by a firewall.

I did not try this, but it might be a workaround...

arkascha
  • 41,620
  • 7
  • 58
  • 90
0

For some reasons, mod_remoteip does not work for my implementation.

Instead, as tested on Apache 2.4, I found this working.

For httpd.conf try searching the part where <IfModule log_config_module> is located and replace the CustomLog statement with these:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
CustomLog "logs/access.log" proxy

LogFormat statement creates a custom log format named proxy which makes use of the environment variable X-Forwarded-For forwarded by the proxy as the source of remote IP address from the real client.

CustomLog statement simply makes use of custom log format "proxy" to write the results to "access.log" whereas real IP address appears now.

Ken Pega
  • 534
  • 6
  • 9
  • I was also having trouble getting mod_remoteip working, but I finally figured it out. I posted it here: http://stackoverflow.com/questions/25455731/getting-apache-2-4-access-logs-to-show-client-ip-instead-of-127-0-0-1-with-varni – curiouser Aug 22 '14 at 21:26