Joe_Fontes_4518
Dec 07, 2006Nimbostratus
Apache SSL Logs
I am trying to figure out how to get the correct source IP for the SSL request which has passed through the load balancer.
I wrote an iRule (got most of it from the iRule downloads section) that is successfully logging regular http requests to the local syslog-ng which then passes to my central logging server:
when HTTP_REQUEST {
set the URL here, log it on the response
set url [HTTP::host]
set uri [HTTP::uri]
set vip [IP::local_addr]:[TCP::local_port]
set meth [HTTP::method]
set ua [HTTP::header User-Agent]
set ref [HTTP::header Referer]
set ver [HTTP::version]
}
when HTTP_RESPONSE {
set client [IP::client_addr]
set node [IP::server_addr]
set nodePort [TCP::server_port]
set nodeResp [HTTP::status]
set rlen [HTTP::header Content-Length]
if {$rlen == ""}{
set rlen 100
}
log connection info
log local0.info "$client - - \[DATE\] \"$meth $uri HTTP/$ver\" $nodeResp $rlen \"$ref\" \"$ua\""
}
I know that I don't need to do it this way and XFF is setup and working...this is just a test.
My question comes into play when working with SSL. This will not work for SSL as the VS does not have an http profile. However, when logging the SSL connections on Apache I still get the IP of the LB instead of hte actual source IP. I didn't think that was possible as I had assumed that the header (except for the requesting info) was encrypted and could only be decrypted downstream at the server?
If the source IP is being altered, there must be a way to either set XFF for SSL, or do something similar to what I hvae done above with regular HTTP requests.
Just trying to figure out how to keep track of the unique IPs that are connecting into the SSL site...