Wish: Apache should log any proxy forwarded IP address

[JonBendtsen]

Maybe this is a difference between podman and docker. I use podman, and in front of my dolibarr container I have another container doing proxying such that I can also reach other containers.

I wish that the apache configuration inside the Dolibarr container would log the X-Forwarded-for header in case there is a proxy in front.

This website describes how it is done fluently https://www.techstacks.com/howto/log-client-ip-and-xforwardedfor-ip-in-apache.html

But their configuration has to be slightly modified because at least my Dolibarr container uses the other_vhost logging because the hostname is not set.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.0.2.100. Set the 'ServerName' directive globally to suppress this message

Heads up: If I use curl from the host that runs the containers the ip address is not correct
10.0.2.100 - - [30/Aug/2024:21:45:18 +0000] "GET / HTTP/1.1" 200 6438 "-" "curl/8.5.0"
But if I use my laptop with the above apache configuration then the dolibarr container log shows my home IPv4 address

[creekorful]

Generally speaking you need to indicate to apache which host to trust when it come to use X-Forwarded-* headers.

I have another container doing proxying such that I can also reach other containers.

What kind of container? Another reverse proxy? Something else? If it's a reverse proxy do you know whether it propagate the X-Forwarded-* headers?

Could you share maybe a diagram of your current deployment?

Many questions :)

[JonBendtsen]

Generally speaking you need to indicate to apache which host to trust when it come to use X-Forwarded-* headers.

True, I didn't see that in the web article I link to, but it worked with the changes they suggest.

I have another container doing proxying such that I can also reach other containers.

What kind of container? Another reverse proxy? Something else? If it's a reverse proxy do you know whether it propagate the X-Forwarded-* headers?

It is my own reverse proxy, and it currently runs nginx, but I'm going to try Apache apisix at some point. I of course had to tell my nginx to insert the X-Forwarded-for header.

Could you share maybe a diagram of your current deployment?

Yeah, I suppose I could do that.

[creekorful]

Just to be sure : You managed to have something working by applying changes to the Apache config is that right?

If so could you provided those changes here to see if it would be something worth to include in the image?

Cheers

[JonBendtsen]

Just to be sure : You managed to have something working by applying changes to the Apache config is that right?

If so could you provided those changes here to see if it would be something worth to include in the image?

Cheers

The changes I applied are already described here: https://www.techstacks.com/howto/log-client-ip-and-xforwardedfor-ip-in-apache.html with the only change that I had to do them in the other-vhosts.conf file because the servername inside my pod is not matching what apache expects so the CustomLog is uses is

conf-available/other-vhosts-access-log.conf:CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined

and not the expected

sites-available/000-default.conf: CustomLog ${APACHE_LOG_DIR}/access.log combined

[JonBendtsen]

I wonder if it would be better to ask upstream to support this?

FROM ${ARCH}php:8.2-apache-buster

[mathieupotier]

IMO it's probably a too specific need for this image, but you can extend it to add your apache config changes...
There is also another discussion about having a FPM variant image that could fit your need for tuning on your own infra ...

#4

[JonBendtsen]

IMO it's probably a too specific need for this image, but you can extend it to add your apache config changes... There is also another discussion about having a FPM variant image that could fit your need for tuning on your own infra ...

Maybe, but as I read the needed changes in the techstacks article the changes are almost gratis to do

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "logs/access_log" combined env=!forwarded
CustomLog "logs/access_log" proxy env=forwarded

If the header is there it will be used, if the header is not present it will not be used.

Though maybe it would be better with either copying/mounting another configuration file in, or simply use an environment variable such that apache at start knows if it needs to do the logging with the forwarding header set or without, because anyone who runs a Dolibarr container will know if they will need to catch the forwarding header or not.

[JonBendtsen]

as I was browsing though the apache config of v20 I noticed these lines:

# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.

https://httpd.apache.org/docs/current/mod/mod_remoteip.html

[JonBendtsen]

I ended up going for 3 individual files that I would then just mount into the apache config directories.

    - '/home/{{ username }}/dolibarr_apache_config_files/remoteip.load:/etc/apache2/mods-enabled/remoteip.load:ro'
    - '/home/{{ username }}/dolibarr_apache_config_files/remoteip.conf:/etc/apache2/mods-enabled/remoteip.conf:ro'
    - '/home/{{ username }}/dolibarr_apache_config_files/servername.conf:/etc/apache2/conf-enabled/servername.conf:ro'

I've tested it and it works great :-)

[eldy]

How to setup to log apache proxy has been added to the README.md file