Project

General

Profile

[Solved] Remote address behind reverse proxy not logged

Added by lib20 11 days ago

I'm running lighttpd version lighttpd-1.4.59_1 on a FreeBSD system, behind a nginx reverse proxy.
In nginx.conf, there's: proxy_set_header X-Real-IP $remote_addr;

lighttpd is running on a different IP of a different subnet. In modules.conf

server.modules = (
#  "mod_rewrite",
  "mod_access",
#  "mod_evasive",
#  "mod_auth",
#  "mod_authn_file",
#  "mod_redirect",
#  "mod_setenv",
#  "mod_alias",
  "mod_extforward",
)
extforward.headers = ("X-Real-IP")
extforward.forwarder = (
    "192.168.3.4/24" => "trust",
)

But the IP logged in access.log is always 192.168.3.4, that is the one where the nginx reverse proxy is working.

What should I change/do?


Replies (7)

RE: Remote address behind reverse proxy not logged - Added by gstrauss 11 days ago

The above is not your entire config, e.g. it does not include mod_accesslog. As a first step, please see How to get help and run the commands there to test your config.

RE: Remote address behind reverse proxy not logged - Added by gstrauss 11 days ago

"192.168.3.4/24" => "trust"

That looks weird to me. Did you mean "192.168.3.4" => "trust" (or "192.168.3.4/32" => "trust") for a single IPv4 address, or did you mean "192.168.3.0/24" => "trust" for the IPv4 /24 subnet?

RE: Remote address behind reverse proxy not logged - Added by lib20 10 days ago

Hi gstrauss,

Thank you for your answers.
I'll be more precise.

Lighttpd is running on a FreeBSD 13.0-RELEASE jail.

# lighttpd -v
lighttpd/1.4.59 (ssl) - a light and fast webserver
# lighttpd -tt -f /usr/local/etc/lighttpd/lighttpd.conf
# echo $?
0

lighttpd -p -f /etc/lighttpd/lighttpd.conf at
https://paste.lighttpd.net/v9#QwxHAC0mYUkwgMtSdRNQggM4

I used Firefox and Brave web browsers.

Thank you.

RE: Remote address behind reverse proxy not logged - Added by gstrauss 10 days ago

You have:
server.modules = ("mod_access", "mod_extforward", "mod_accesslog")

Module order matters here (and I need to update the documentation to highlight this).

This should work for you:
server.modules = ("mod_access", "mod_accesslog", "mod_extforward")

RE: [Solved] Remote address behind reverse proxy not logged - Added by gstrauss 10 days ago

FYI, the code src/mod_extforward.c contains the following comment and that behavior has been true since mod_extfoward was first committed back in 2007.

 *  mod_accesslog:
 *   In order to see the "real" ip address in access log ,
 *   you'll have to load mod_extforward after mod_accesslog.
 *   like this:
 *
 *    server.modules  = (
 *       .....
 *       mod_accesslog,
 *       mod_extforward
 *    )

In commit fea5bdc8, I split request plugin context from connection plugin context. Those internal changes may enable me to remove the historic module ordering requirement from mod_extforward. If I confirm that to be the case, then lighttpd 1.4.61 (the next version of lighttpd) will remove the module ordering requirement between mod_accesslog and mod_extforward.

RE: [Solved] Remote address behind reverse proxy not logged - Added by gstrauss 10 days ago

--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@@ -1218,7 +1203,6 @@ int mod_extforward_plugin_init(plugin *p) {
        p->handle_connection_accept = mod_extforward_handle_con_accept;
        p->handle_uri_raw = mod_extforward_uri_handler;
        p->handle_request_env = mod_extforward_handle_request_env;
-       p->handle_request_done = mod_extforward_restore;
        p->handle_request_reset = mod_extforward_restore;
        p->handle_connection_close = mod_extforward_handle_con_close;
        p->set_defaults  = mod_extforward_set_defaults;

RE: [Solved] Remote address behind reverse proxy not logged - Added by lib20 10 days ago

It worked as predicted.
Thank you very much gstrauss.

    (1-7/7)