Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ProxyPreserveHost seems to do little for me

I see many on the web referring to the use of ProxyPreserveHost On to make sure that a proxied backend receives the original caller's host name. I am using this to tighten my web application's security (Java, Tomcat) whereas it would also be nice if my logs would show where users are actually at. My Tomcat logs now show this – pretty useless:

127.0.0.1 - - [17/Mar/2013:06:32:13 +0100] "GET /webapp/frontend/app/partials/welcome.html HTTP/1.1" 200 54

This is my configuration that does clearly not work as expected:

"/etc/apache2/sites-enabled/000-default"

<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass /webapp http://localhost:8080/webapp
ProxyPassReverse /webapp http://localhost:8080/webapp
RewriteEngine On
RewriteRule ^/$            /webapp/frontend/app/ [proxy]
RewriteRule ^/webapp/$     /webapp/frontend/app/ [redirect]
RewriteRule ^/webapp/app/$ /webapp/frontend/app/ [redirect]

(from here on default stuff that was in the 000-default)

Enabled modules:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod rewrite

This is Ubuntu 12.10 running Apache HTTPD 2.2.22.

Your help would be much appreciated.

like image 774
Sander Verhagen Avatar asked Mar 17 '13 05:03

Sander Verhagen


People also ask

What is ProxyPreserveHost?

The ProxyPreserveHost directive is used to instruct Apache mod_proxy, when acting as a reverse proxy, to preserve and retain the original Host: header from the client browser when constructing the proxied request to send to the target server.

What is ProxyPass and ProxyPassReverse?

ProxyPassReverse will intercept those headers, and rewrite them to match the Apache proxy server. ProxyPass will create a reverse proxy. A reverse proxy (or gateway), appears to the client just like an ordinary web server. The client makes ordinary requests for content in the namespace of the reverse proxy.

What is Proxyrequests?

Proxy servers work by facilitating web requests and responses between a user and web server. Typically, a user accesses a website by sending a direct request to its web server from a web browser via their IP address. The web server then sends a response containing the website data directly back to the user.

What is Proxy_module?

mod_proxy and related modules implement a proxy/gateway for Apache HTTP Server, supporting a number of popular protocols as well as several different load balancing algorithms. Third-party modules can add support for additional protocols and load balancing algorithms.


1 Answers

I assume your concern is that your access log still contains 127.0.0.1 in the client field. This isn't affected by ProxyPreserveHost; this is the IP address of the network end point that connected to Apache. For proxied connections from another server, this is going to always be localhost.

Also, ProxyPreserveHost is about preserving the Host header sent by the client, not about preserving the original IP of the client. In other words, it's about information going the wrong direction for your purposes; it's preserving the name of your server as sent by the client, not the client's IP.

I think your question is the same as this question. I'd add the additional note that you can log the X-Forwarded-For header in your logs using %{X-Forwarded-For}i in your CustomLog configuration.

like image 156
rra Avatar answered Sep 30 '22 03:09

rra