client -> haproxy -> mod_security boxes -> backends
Problem: mod_security boxes use mod_rpaf with ip of haproxy in 'RPAFproxy_ips'. Apache logging shows clients real ip but mod_security still reports haproxys ip as seen below.
Clients ip found in apache log of mod_sec boxes
x.93.129.90 - - [14/Oct/2015:08:35:56 +0200] "GET /MYTEST HTTP/1.1" 301 524 "-" "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
Mod_security reports proxy ip (client x.21.107.165)
==> /var/log/apache2/site.se_error.log <==
[Wed Oct 14 08:36:12.584500 2015] [:error] [pid 10264:tid 139895758558976] [client x.21.107.165] ModSecurity: Access denied with code 403 (phase 2).
Pattern match "\\\\balert\\\\b[^a-zA-Z0-9_]{0,}?\\\\(" at ARGS_NAMES:
<script>alert(1)</script>. [file "/usr/share/cwaf/rules/07_XSS_XSS.conf"] <etc>..
People around the webs seem to run rpaf with mod_sec, am I doing something wrong?
Anyone knows another good approach? I've seen some mod_sec rules that basically use a value from a header if present, else fallback to remote_addr but I didn't get those to work.
mod_rpaf only works with apache < 2.4, mod_remoteip works with 2.4 and mod_security now reports the clients ip, not that of the load balancer/proxy
On ubuntu 14.04