1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 2:06 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

mod rewrite interpreting IP differently than logs

IP different in mod_rewrite than logs

         

dfresh4130

12:11 am on Apr 2, 2014 (gmt 0)

10+ Year Member



I'm a little confused by this behavior. Running apache 2.2.26 compiled from source. One environment is behaving different than another. I have the below in httpd.conf to pick up the correct IP address of the client. 


SetEnvIf REMOTE_ADDR "(.+)" CLIENTIP=$1
SetEnvIf X-Forwarded-For "^([0-9.]+)" CLIENTIP=$1
SetEnvIf True-Client-IP "^([0-9.]+)" CLIENTIP=$1

LogFormat "%{CLIENTIP}e|%l|%u|%t|\"%r\"|%>s|%b|\"%{Referer}i\"|\"%{User-Agent}i\"|%D" combined


I also have this in a rewrite block. The specific IPs are F5s that I don't want redirected so their health check passes for this pool the apache servers are in. 

RewriteEngine on
RewriteLog /apps/httpd/logs/mod-rewrite-logs/rewrite.log
RewriteLogLevel 5

RewriteCond %{REMOTE_ADDR} !172\.16\.31\.13[0|1]$
RewriteCond %{REQUEST_URI} !^/robots\.txt$
RewriteRule !^/order$ http://www.example.com/ [R,L]


This is what I'm seeing in the logs: 

172.16.31.131|-|-|[01/Apr/2014:20:08:30 -0400]|"GET /"|200|53|"-"|"-"|317
172.16.31.130|-|-|[01/Apr/2014:20:08:32 -0400]|"GET /"|200|53|"-"|"-"|296
198.x.x.x|-|-|[01/Apr/2014:20:08:32 -0400]|"GET / HTTP/1.1"|200|53|"-"|"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"|224


However, my mod_rewrite is still seeing the IP as the 172.16.31.130 IP when I'm hitting it there. Am I missing something as to why mod_rewrite is picking up the REMOTE_ADDR variable different than the access log? Even changing the rewrite condition to use CLIENTIP didn't make a difference. 


172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e59f60/initial] (1) pass through /
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e6d700/subreq] (2) init rewrite engine with requested uri /index.html
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e6d700/subreq] (1) pass through /index.html
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e5bf70/initial] (2) init rewrite engine with requested uri /
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e5bf70/initial] (3) applying pattern '^/order$' to uri '/'
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e5bf70/initial] (4) RewriteCond: input='172.16.31.130' pattern='!172\\.16\\.31\\.13[0|1]$' => not-matched
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e5bf70/initial] (1) pass through /
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e57f50/subreq] (2) init rewrite engine with requested uri /index.html
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e57f50/subreq] (1) pass through /index.html
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e6d700/initial] (2) init rewrite engine with requested uri /
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e6d700/initial] (3) applying pattern '^/order$' to uri '/'
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e6d700/initial] (4) RewriteCond: input='172.16.31.130' pattern='!172\\.16\\.31\\.13[0|1]$' => not-matched

lucy24

2:45 am on Apr 2, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



RewriteCond %{REMOTE_ADDR} !172\.16\.31\.13[0|1]$

Yikes! I had to go try that in a text editor to assure myself that it would neither crash the server nor be interpreted as
(172\.16\.31\.130)|(1$)
Tangentially: What do you need an end anchor for? The IP will never have more than three digits. What you do need is an opening anchor-- not to prevent false positives, for the same three-digit reason, but simply to let the server get out of there a little faster if the very first character isn't 1, the first block isn't 172 and so on.

SetEnvIf X-Forwarded-For "^([0-9.]+)" CLIENTIP=$1
SetEnvIf True-Client-IP "^([0-9.]+)" CLIENTIP=$1

Here, again, I don't understand the anchoring. Can an x-forwarded for header ever begin with something other than an IP address? Can it have trailing non-numeric information? I assume you're only dealing with IPv4 at this point. I really wish Apache recognized the \h locution.

RewriteCond %{REQUEST_URI} !^/robots\.txt$
RewriteRule !^/order$ http://www.example.com/ [R,L]

I don't understand this rule. "If the request is for 'example.com/order' then redirect to the root, but only if the request was not for robots.txt". Is there some other rule that causes robots.txt requests to be rewritten to "order"? This hardly seems likely-- and that being the case, what's the condition for?

172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e6d700/initial] (3) applying pattern '^/order$' to uri '/'
172.16.31.130 - - [01/Apr/2014:20:10:49 --0400] [www.example.com/sid#dcc230][rid#e6d700/initial] (4) RewriteCond: input='172.16.31.130' pattern='!172\\.16\\.31\\.13[0|1]$' => not-matched

Weird indeed. Clearly the request "/" doesn't match the pattern "^/order$" but what has this to do with the IP? mod_rewrite should never even have got as far as the condition.

:: off to experiment on test site ::

dfresh4130

3:39 pm on Apr 2, 2014 (gmt 0)

10+ Year Member



RewriteCond %{REMOTE_ADDR} !172\.16\.31\.13[0|1]$

For the RewriteCond I just modified an example I found on another site. Didn't think about the anchor at the end being pointless.

SetEnvIf X-Forwarded-For "^([0-9.]+)" CLIENTIP=$1
SetEnvIf True-Client-IP "^([0-9.]+)" CLIENTIP=$1

I am a little confused on these as well, but they're in an already existing configuration on a different apache server in the same DMZ so I wasn't sure how useful they really are.

RewriteCond %{REQUEST_URI} !^/robots\.txt$
RewriteRule !^/order$ http://www.example.com/ [R,L]

In the above rewrite I'm basically saying anything that doesn't start with /order to go back to the home page. These servers are being created to serve only /order requests explicitly and will be internet facing. So if a crawler does come along I figured just let them see robots.txt instead of getting redirected.

What I'm still puzzled by is why the access log is picking up the IP correctly, but mod_rewrite isn't. Essentially we're creating a different entry point for /order requests using a URL different than www. that allows customers to send orders using their own UI instead of going to our site. Therefore we don't want these servers to accept anything but /order requests and if someone does find this URL we just want them to go back to the home page since they wouldn't know how to use this service. This same config is working correctly in a different environment, but the difference is different DMZ with different F5 so I'm guessing the request is coming in differently, but can't tell what's different.

g1smd

4:08 pm on Apr 2, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The [0|1] should be either (0|1) or [01] with the latter usually being slightly faster.

lucy24

9:15 pm on Apr 2, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



In the above rewrite I'm basically saying anything that doesn't start with /order to go back to the home page.

Whoops, my bad: the ! in the body of the rule is so rare, I overlooked it. What happens to non-page requests? Do supporting files for /orders/ live in the /orders/ directory?

All this is lying loose in the config file, right? Not in a <Directory> section?

dfresh4130

4:54 pm on Apr 3, 2014 (gmt 0)

10+ Year Member



There are no static files being served up for these requests. We're just using a proxy pass rule for all /order requests to go onto a backend. All of the redirect lines I posted are in their own file being called via an Include.

lucy24

6:44 pm on Apr 3, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



All of the redirect lines I posted are in their own file being called via an Include.

Ouch, don't talk to me about includes.
:: pause to glare at MAMP ::
But is the "Include" line itself loose in the config file, or inside a <Directory> section?

Is the plain [R] intentional, or just a temporary measure for testing? (Unrelated question.)

dfresh4130

8:25 pm on Apr 3, 2014 (gmt 0)

10+ Year Member



The R is just for testing purposes and the include line isn't in any Directory blocks, exactly like below:
Include conf.d/redirects/*


Finally figured out the issue and learned something about apache in the process. The traffic to these apache servers is being sent via an F5 load balancer. The F5 load balancer has it's own static IP and a floating IP between the primary and secondary. The health check the F5 sends is going through its own static IP where as all the actual customer traffic comes through the floating IP. Makes sense to allow for failover purposes. For some reason in my problem environment there is no floating IP so the traffic comes through the same IP sending health checks. This in turn led me to understand apache access logs are showing the correct IP, but mod_rewrite logs actually log the IP traffic comes in from and evaluates the rule based upon what's in the header. Since the rewrite is allowing the F5 IP to hit a local file it's also not redirecting the customer traffic since it's the IP I'm excluding in my RewriteCond. Not saying this isn't a proper config for this environment, but it's what I'm stuck with. Now I just need to modify my rewrite in the problem environment to work around the IP issue. Thanks for all the help.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 2:06 pm May 1, 2026