14

I see many on the web referring to the use of ProxyPreserveHost On to make sure that a proxied backend receives the original caller's host name. I am using this to tighten my web application's security (Java, Tomcat) whereas it would also be nice if my logs would show where users are actually at. My Tomcat logs now show this – pretty useless:

127.0.0.1 - - [17/Mar/2013:06:32:13 +0100] "GET /webapp/frontend/app/partials/welcome.html HTTP/1.1" 200 54

This is my configuration that does clearly not work as expected:

"/etc/apache2/sites-enabled/000-default"

<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass /webapp http://localhost:8080/webapp
ProxyPassReverse /webapp http://localhost:8080/webapp
RewriteEngine On
RewriteRule ^/$            /webapp/frontend/app/ [proxy]
RewriteRule ^/webapp/$     /webapp/frontend/app/ [redirect]
RewriteRule ^/webapp/app/$ /webapp/frontend/app/ [redirect]

(from here on default stuff that was in the 000-default)

Enabled modules:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod rewrite

This is Ubuntu 12.10 running Apache HTTPD 2.2.22.

Your help would be much appreciated.

Sander Verhagen
  • 8,540
  • 4
  • 41
  • 63

1 Answers1

21

I assume your concern is that your access log still contains 127.0.0.1 in the client field. This isn't affected by ProxyPreserveHost; this is the IP address of the network end point that connected to Apache. For proxied connections from another server, this is going to always be localhost.

Also, ProxyPreserveHost is about preserving the Host header sent by the client, not about preserving the original IP of the client. In other words, it's about information going the wrong direction for your purposes; it's preserving the name of your server as sent by the client, not the client's IP.

I think your question is the same as this question. I'd add the additional note that you can log the X-Forwarded-For header in your logs using %{X-Forwarded-For}i in your CustomLog configuration.

Community
  • 1
  • 1
rra
  • 3,807
  • 18
  • 29
  • Thanks. The question you refer to has a voted-for answer that links to an article outside Stack Overflow that actually refers to `ProxyPreserveHost` as one solution "so the developer doesn’t have to end up using `X-Forwarded-For` header". I'm such developer, and I felt bad having to use something non-standard. Said that, I googled `X-Forwarded-For` and even Wikipedia refers to it as a _de facto_ standard, which is much better than what I initially thought it was (something Apache HTTPD specific that makes my web application Apache HTTPD-specific). – Sander Verhagen Mar 18 '13 at 04:14
  • I think that linked blog post is just confusingly written. He says that the directive can be used to preserve "the remote host not the remote ip." Under normal circumstances, those would be two different names (via DNS) for the same thing, but I think by "the remote host" he actually means "the Host header sent by the remote client" rather than the hostname of the remote client. But indeed, as written it's rather confusing. – rra Mar 18 '13 at 04:37
  • I went ahead and implemented a check on the return value of `HttpServletRequest.getHeader("X-Forwarded-For")` in addition to my existing check on `WebAuthenticationDetails.getRemoteAddress()`. My application is thus now `X-Forwarded-For` aware. Not what I was hoping for initially, but working nonetheless. Thank you. – Sander Verhagen Mar 18 '13 at 05:02
  • As per [Steffen's answer](http://stackoverflow.com/a/30784225/1990970) in mentioned question, the apache module `mod_remoteip` seems to be the _de faco_ standard if running apache httpd 2.4.6 or above. – Brean Nov 09 '15 at 13:08