ProxyPreserveHost seems to do little for me

Question

I see many on the web referring to the use of ProxyPreserveHost On to make sure that a proxied backend receives the original caller's host name. I am using this to tighten my web application's security (Java, Tomcat) whereas it would also be nice if my logs would show where users are actually at. My Tomcat logs now show this – pretty useless:

127.0.0.1 - - [17/Mar/2013:06:32:13 +0100] "GET /webapp/frontend/app/partials/welcome.html HTTP/1.1" 200 54

This is my configuration that does clearly not work as expected:

"/etc/apache2/sites-enabled/000-default"

<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass /webapp http://localhost:8080/webapp
ProxyPassReverse /webapp http://localhost:8080/webapp
RewriteEngine On
RewriteRule ^/$            /webapp/frontend/app/ [proxy]
RewriteRule ^/webapp/$     /webapp/frontend/app/ [redirect]
RewriteRule ^/webapp/app/$ /webapp/frontend/app/ [redirect]

(from here on default stuff that was in the 000-default)

Enabled modules:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod rewrite

This is Ubuntu 12.10 running Apache HTTPD 2.2.22.

Your help would be much appreciated.

Answer 1

I assume your concern is that your access log still contains 127.0.0.1 in the client field. This isn't affected by ProxyPreserveHost; this is the IP address of the network end point that connected to Apache. For proxied connections from another server, this is going to always be localhost.

Also, ProxyPreserveHost is about preserving the Host header sent by the client, not about preserving the original IP of the client. In other words, it's about information going the wrong direction for your purposes; it's preserving the name of your server as sent by the client, not the client's IP.

I think your question is the same as this question. I'd add the additional note that you can log the X-Forwarded-For header in your logs using %{X-Forwarded-For}i in your CustomLog configuration.