Mod_rpaf with apache error_log

apache-2.4mod-rpaf

I'm using mod-rpaf with Apache 2.4 and it's working properly (showing the real client IP's) in my Apache access_log… but not in my error_log. My error log just shows the client IP address of the proxy server (my load balancer in this case)

Here's an example of what I see in my error_log where 123.123.123.123 is the IP of my load balancer/proxy.

==> /usr/local/apache2/logs/error_log <== [Tue Jun 05 20:24:31.027525 2012] [access_compat:error] [pid 9145:tid 140485731845888] [client
123.123.123.123:20396] AH01797: client denied by server configuration: /wwwroot/private/secret.pdf

The exact same request produces the following in my access_log where 456.456.456.456 is a real client IP (not the IP of the load balancer).

456.456.456.456 - - [05/Jun/2012:20:24:31 +0000] "GET /wwwroot/private/secret.pdf HTTP/1.1" 403 228 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0"

Here's my httpd.conf entry:

# RPAF
LoadModule rpaf_module  modules/mod_rpaf-2.0.so
RPAFenable On
RPAFproxy_ips 127.0.0.1 123.123.123.123
RPAFsethostname On
RPAFheader X-Forwarded-For

What do I need to do to get the real IP addresses showing in my Apache error_log?

Best Answer

I thought that error log format looked strange and I didn't think there was any way to change it in 2.2 so I checked out the docs for 2.4.

It seems there is now an ErrorLogFormat directive and your error log is in the default format, which has been updated and significantly improved since 2.2.

Apache 2.4 now includes mod_remoteip which deprecates mod_rpaf. I suspect mod_rpaf has not been updated to work with Apache 2.4 and the ErrorLogFormat directive. The most recent version on the download page is from 2008.

You should use mod_remoteip instead of mod_rpaf with Apache 2.4.

Related Solutions

Mod_rpaf Configuration Behind Amazon ELB – Best Practices

You can try to use mod_extract_forwarded instead of mod_rpaf — it supports MEFaccept all (and if you use RHEL/CentOS/other-clone, the package is already in EPEL). One downside of mod_extract_forwarded is that the X-Forwarded-For and Forwarded-For header names are hardcoded and not configurable like in mod_rpaf.

There is no support for IP ranges even in mod_extract_forwarded, but you may configure a firewall to allow direct access to Apache only from some IP ranges, or check the MEF_RPROXY_ADDR environment variable in mod_rewrite rules.

After some more thinking about this I found a problem with this mod_extract_forwarded config — while mod_rpaf does not support chains of multiple proxies and takes just the last address from the X-Forwarded-For header, mod_extract_forwarded attempts to support this and uses the last address which does not belong to the trusted proxy list (so that if the request has passed through multiple trusted proxies, the actual client address will be used instead of the second-to-last proxy address). Unfortunately, using MEFaccept all means that mod_extract_forwarded will trust all proxies, therefore if ELB proxies just append their data to the X-Forwarded-For header, and not replace it completely, clients could pass any spoofed IP by sending requests with their own X-Forwarded-For headers.

However, I have found yet another module to parse X-Forwarded-For headers. Recent (unstable) Apache versions have the mod_remoteip module, which apparently supports subnet masks for proxy addresses. There is a backport to Apache 2.2 and a spec file for Fedora; unfortunately, the request to include package in Fedora is stalled.

mod_rpaf Nginx Apache – Fix Issues After Ubuntu Upgrade

Just been dealing with this myself. There was an Ubuntu bug confirmed on Friday. You can get things working again by changing:

<IfModule mod_rpaf.c>

<IfModule mod_rpaf-2.0.c>

in /etc/apache2/mods-available/rpaf.conf

Best Answer

Related Solutions

Mod_rpaf Configuration Behind Amazon ELB – Best Practices

mod_rpaf Nginx Apache – Fix Issues After Ubuntu Upgrade

Related Topic