Home / server / Questions / 395884
Accepted
Camden S.
Asked: 2012-06-06 12:35:28 +0800 CST

mod_rpaf with apache error_log

  • 772

I'm using mod-rpaf with Apache 2.4 and it's working properly (showing the real client IP's) in my Apache access_log... but not in my error_log. My error log just shows the client IP address of the proxy server (my load balancer in this case)

Here's an example of what I see in my error_log where 123.123.123.123 is the IP of my load balancer/proxy.

==> /usr/local/apache2/logs/error_log <== [Tue Jun 05 20:24:31.027525 2012] [access_compat:error] [pid 9145:tid 140485731845888] [client 123.123.123.123:20396] AH01797: client denied by server configuration: /wwwroot/private/secret.pdf

The exact same request produces the following in my access_log where 456.456.456.456 is a real client IP (not the IP of the load balancer).

456.456.456.456 - - [05/Jun/2012:20:24:31 +0000] "GET /wwwroot/private/secret.pdf HTTP/1.1" 403 228 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0"

Here's my httpd.conf entry:

# RPAF
LoadModule rpaf_module  modules/mod_rpaf-2.0.so
RPAFenable On
RPAFproxy_ips 127.0.0.1 123.123.123.123
RPAFsethostname On
RPAFheader X-Forwarded-For

What do I need to do to get the real IP addresses showing in my Apache error_log?

apache-2.4 mod-rpaf

2 Answers

  1. mod-rpaf requires just a minor change to the source to make it work with apache 2.4 which I found here http://vova-zms.blogspot.com/2012/07/install-modrpaf-with-apache-24.html

    simply replace remote_ with client_ in mod_rpaf-2.0.c

    also http://blog.77jp.net/mod_rpaf-install-apache-2-4

    visualize the simple changes here: https://gist.github.com/teriyakisan/2716030

    mod-remoteip is actually not as robust as mod-rpaf (yet)

    There are improved copies of mod-rpaf around github too, like here https://github.com/y-ken/mod_rpaf/ which has https state support and removes some of the legacy support

    • 2
  2. Best Answer

    I thought that error log format looked strange and I didn't think there was any way to change it in 2.2 so I checked out the docs for 2.4.

    It seems there is now an ErrorLogFormat directive and your error log is in the default format, which has been updated and significantly improved since 2.2.

    Apache 2.4 now includes mod_remoteip which deprecates mod_rpaf. I suspect mod_rpaf has not been updated to work with Apache 2.4 and the ErrorLogFormat directive. The most recent version on the download page is from 2008.

    You should use mod_remoteip instead of mod_rpaf with Apache 2.4.

    • 1