[Solved] Remote address behind reverse proxy not logged
Added by lib20 over 3 years ago
I'm running lighttpd version lighttpd-1.4.59_1 on a FreeBSD system, behind a nginx reverse proxy.
In nginx.conf, there's: proxy_set_header X-Real-IP $remote_addr;
lighttpd is running on a different IP of a different subnet. In modules.conf
server.modules = (
# "mod_rewrite",
"mod_access",
# "mod_evasive",
# "mod_auth",
# "mod_authn_file",
# "mod_redirect",
# "mod_setenv",
# "mod_alias",
"mod_extforward",
)
extforward.headers = ("X-Real-IP")
extforward.forwarder = (
"192.168.3.4/24" => "trust",
)
But the IP logged in access.log is always 192.168.3.4, that is the one where the nginx reverse proxy is working.
What should I change/do?
Replies (7)
RE: Remote address behind reverse proxy not logged - Added by gstrauss over 3 years ago
The above is not your entire config, e.g. it does not include mod_accesslog. As a first step, please see How to get help and run the commands there to test your config.
RE: Remote address behind reverse proxy not logged - Added by gstrauss over 3 years ago
"192.168.3.4/24" => "trust"
That looks weird to me. Did you mean "192.168.3.4" => "trust" (or "192.168.3.4/32" => "trust") for a single IPv4 address, or did you mean "192.168.3.0/24" => "trust" for the IPv4 /24 subnet?
RE: Remote address behind reverse proxy not logged - Added by lib20 over 3 years ago
Hi gstrauss,
Thank you for your answers.
I'll be more precise.
Lighttpd is running on a FreeBSD 13.0-RELEASE jail.
# lighttpd -v lighttpd/1.4.59 (ssl) - a light and fast webserver
# lighttpd -tt -f /usr/local/etc/lighttpd/lighttpd.conf # echo $? 0
lighttpd -p -f /etc/lighttpd/lighttpd.conf at
https://paste.lighttpd.net/v9#QwxHAC0mYUkwgMtSdRNQggM4
I used Firefox and Brave web browsers.
Thank you.
RE: Remote address behind reverse proxy not logged - Added by gstrauss over 3 years ago
You have:server.modules = ("mod_access", "mod_extforward", "mod_accesslog")
Module order matters here (and I need to update the documentation to highlight this).
This should work for you:server.modules = ("mod_access", "mod_accesslog", "mod_extforward")
RE: [Solved] Remote address behind reverse proxy not logged - Added by gstrauss over 3 years ago
FYI, the code src/mod_extforward.c contains the following comment and that behavior has been true since mod_extfoward was first committed back in 2007.
* mod_accesslog: * In order to see the "real" ip address in access log , * you'll have to load mod_extforward after mod_accesslog. * like this: * * server.modules = ( * ..... * mod_accesslog, * mod_extforward * )
In commit fea5bdc8, I split request plugin context from connection plugin context. Those internal changes may enable me to remove the historic module ordering requirement from mod_extforward. If I confirm that to be the case, then lighttpd 1.4.61 (the next version of lighttpd) will remove the module ordering requirement between mod_accesslog and mod_extforward.
RE: [Solved] Remote address behind reverse proxy not logged - Added by gstrauss over 3 years ago
--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@@ -1218,7 +1203,6 @@ int mod_extforward_plugin_init(plugin *p) {
p->handle_connection_accept = mod_extforward_handle_con_accept;
p->handle_uri_raw = mod_extforward_uri_handler;
p->handle_request_env = mod_extforward_handle_request_env;
- p->handle_request_done = mod_extforward_restore;
p->handle_request_reset = mod_extforward_restore;
p->handle_connection_close = mod_extforward_handle_con_close;
p->set_defaults = mod_extforward_set_defaults;
RE: [Solved] Remote address behind reverse proxy not logged - Added by lib20 over 3 years ago
It worked as predicted.
Thank you very much gstrauss.