Install mod extact forward - Show Real IP behind Proxy

From Brian Nelson Ramblings
Jump to: navigation, search

How to Show the Real IP when Behind a Proxy

mod_extract_forwarded is designed to transparently (to other Apache modules) modify the information about the connection over which an HTTP request is received when that connection is not directly from a requesting client to the Apache server but is instead via one or more intervening proxy servers.

Operation relies on the X-Forwarded-For header, inserted by proxy servers. This is a non-RFC-standard request header which was introduced by the Squid caching proxy server's developers and which is now also supported, for reverse proxy server operation, by Apache 2. If the intervening proxy servers doesn't add such headers, we can't do anything about it. It is worth noting that a normally configured Squid proxy server will add to the X-Forwarded-For. However, when used as a proxy server, Apache prior to version 2 does not add X-Forwarded-For headers unless the third party mod_proxy_add_forward module has been added to it. This can leave potentially important gaps in the information recorded in X-Forwarded-For header.

If the X-Forwarded-For header has been added properly by intervening proxy servers we can determine the IP number of originating client machine BUT there are some problems associated with this.

Firstly, it would be inadvisable to trust what has been inserted into the X-Forwarded-For header by any intervening machine outside the boundary of our own local network. At best we should only trust what was said by the proxy servers we control and which have handled the incoming request between the boundary of our network and our destination server; even that trust should be conditional as the header is plain text and eminently corruptible. It is vital that our incoming proxy server on our local network border is reliable in adding the X-Forwarded-For header so that we always have a clear demarcation in the information; the public IP number of the machine connecting to our network border. In practice, this means we can, at best, determine and show limited trust in the IP number of the machine outside our local network border that made the connection to our incoming (reverse) proxy server which it recorded the IP number of in the X-Forwarded-For header.

If you are using a load-balancing proxy such as squid, apache itself or caching such as Varnish, you will only find the proxy’s IP in your apache’s access/error logs. One way to fix this issue is to install mod_extract_forwarded which is in the EPEL repo.

Lets first install the EPEL Repo

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm

Install mod_extract_forwarded with YUM

 yum install mod_extract_forwarded

Be sure to enter only the IP address of YOUR load-balancing proxy, no other proxies or even all proxies, otherwise you could find many fake IP addresses in your logs. I am using Varnish Cache with the internal ipaddress of 127.0.0.2.

Now you need to add the proxy ipaddress to the configuration file

echo 'MEFaccept 127.0.0.2' >> /etc/httpd/conf.d/mod_extract_forwarded.conf

Now make sure everything is setup correct with apache

httpd -t

Once you get Syntax OK

httpd -k restart

or

service httpd restart

Now just check your apache logs, you should be seeing the correct ip in the logs.

tail -f /var/log/httpd/access.log

Additional Reads