For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

erin_landis_211's avatar
erin_landis_211
Icon for Nimbostratus rankNimbostratus
Nov 04, 2015

Apache2.2 logging "Real" Client IP's - Mod_CloudFlare

Howdy,   Goal: To present the "real" client IP to the PHP handler and apache logging thread in apache2.2. I've used Mod_Cloudflare for this in the past and it worked great. We've got php code that ...
application delivery
design
LTM
erin_landis_211's avatar
erin_landis_211
Icon for Nimbostratus rankNimbostratus
Nov 13, 2015

Ok, we were able to resolve this issue with the following:

 

1) Logging real client IP's in apache logs:

 

Adding "%{X-Forwarded-For}i" to the LogFormat config in httpd.conf worked:

 

LogFormat "%{X-Forwarded-For}i - %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i - %h %l %u %t \"%r\" %>s %b" common

2) Passing the real client IP to php

 

I talked this over with a developer on staff and we were able to use php's auto_prepend_file to make this happen:

 

.htaccess file:

 

php_value auto_prepend_file proxy.php

proxy.php contents:

 

Note: We switched out $trusted_proxy with the floating IP address of the load balancer.

 

This works as expected.

 

Note that this is very much a workaround (think bandaids/ducktape) until the code can be updated or a more robust solution can be found. I, for one, am hoping for a mod_f5 🙂

 

This link provided the inspiration for that code: https://devcentral.f5.com/questions/apache22-logging-quotreal-quot-client-ips-mod_cloudflare