Forum Moderators: phranque
Searching for a solution to my problem, that is, logging in apache the real client ip, no the proxi address that comes in remote-address header, I found this
IP en Client-IP
SetEnvIfNoCase Client-IP "\." proxy
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Client-IP}i %l %u %t \"%r\" %>s %b" common_proxy
CustomLog /var/log/apache/access.log common env=!proxy
CustomLog /var/log/apache/access.log common_proxy env=proxy
Don't know if it works, the author of this trick even says that he isn't all that clear that you could have 2 CustomLog directives pointing to the same file (disclaimer, I haven't read the apache doc on CustomLog yet)
However, out of curiosity, I was looking at the phpbb code (since they store in the database client ip addresses, and have a vested interest in doing it right, to be able to block effectively) and found that they don't rely on client-ip header, instead, they look for x-forwarded for, and consider the that the "real client ip" is the first ip in the x-forwarded-for list isn't local (e.g 192.168.xx, etc) or isn't equal to remote-address.
My question is:
Is this the right way to do it? Any pointers on the apache standard practice on logging the real client ip (or the best shot)
So far, however, I'd bet on using X_FORWARDED_FOR. I have not found CLIENT_IP to be reliable - it's just not used very often.
Jim
In spain, as I said, the almighty proxy run by the de facto state monopoly (Telefonica de Espaņa) sets client-ip header. I'm not sure whether US based proxies will not set it or set it wrong.
Now, traversing the x-forwarded-for list and tossing out private ip, etc, that is, replicating what phpbb does, it's way beyond my apache httpd.conf tinkering abilities (assuming that it could even be done)
I don't know how you'd do it using httpd.conf, because I only use X_FORWARDED_FOR when I write scripts (e.g., PHP).
