| Kerio connect behind apache reverse proxy [message #128615] |
Thu, 24 March 2016 16:54  |
niitro
Messages: 3
Registered: March 2016
|
|
|
|
Hi team,
I'm testing the kerio connect solution.
I need to run it behind an apache reverse proxy and I want to see the client ip and not the reverse proxy ip.
Did you know what I could do?
Is it possible to use the "X-Forwarded-For"?
Many thanks.
|
|
|
|
|
|
|
|
| Re: Kerio connect behind apache reverse proxy [message #133168 is a reply to message #128615] |
Fri, 02 December 2016 13:49  |
martine
Messages: 5
Registered: July 2014
|
|
|
|
niitro wrote on Thu, 24 March 2016 16:54Hi team,
I'm testing the kerio connect solution.
I need to run it behind an apache reverse proxy and I want to see the client ip and not the reverse proxy ip.
Did you know what I could do?
Is it possible to use the "X-Forwarded-For"?
Many thanks.
Dit you get this working some how? Kerio is working for me behind a reverse apache proxy (2.4) but in the kerio connect logging I only see the ip address of the proxy, I would like to see the real ip addresses of the client
|
|
|
|
|
|
| Re: Kerio connect behind apache reverse proxy [message #133174 is a reply to message #133171] |
Fri, 02 December 2016 16:25 |
martine
Messages: 5
Registered: July 2014
|
|
|
|
I'm talking about for example audit en operations logs. When I access kerio via webmail interface or via activesync I see the IP address in the proxy in de logging and I would like to see the real clients ip adress.
I configured X-Forwarded-For header on the proxy but I don't know where to set in kerio to use the ip in X-Forwarded-For instead of the proxy ip.
When I proxy to an apache webserver instead of kerio I user RemoteIPHeader X-Forwarded-For in the webserver configuration to show the original IP address.
regards
|
|
|
|
| Re: Kerio connect behind apache reverse proxy [message #133184 is a reply to message #128615] |
Fri, 02 December 2016 22:16 |
anarvey
Messages: 72
Registered: May 2007
|
|
|
|
I have this reverse proxy going on a variety of clients sites. They are all using macOS Server 5.2 and Kerio Connect 9.2 and the isntructions from my latest tutorial (v. 2.0.2) on Reverse Proxy at the RAIS page <rais.precursor.ca>.
I briefly tested one server just now and when I access the server's web interface from outside that office and then inspect the Audit log I am seeing the i.p. address of my external web browser computer and not the proxy internal address.
I have not implemented any X-Forwarded-For headers.
I seem to remember having your problem in earlier versions of OS X Server but in macOS Server 5.2 I am not experiencing it - probably due to the massive changes in the way it proxies ALL custom web-sites.
What versions of the OS and server.app are you using?
|
|
|
|
|
|
| Re: Kerio connect behind apache reverse proxy [message #133194 is a reply to message #128615] |
Sat, 03 December 2016 14:09 |
anarvey
Messages: 72
Registered: May 2007
|
|
|
|
The Read Me in macOS Server 5.2 at: /Library/Server/Web/Config/Apache2/ReadMe.txt states:
Correct Apache HTTPD access and error logging
For websites the IP address 127.0.0.1 is output to the Apache HTTPD access and error logs instead of the user's actual IP address.
Edit the virtual host file for the custom site and change the CustomLog directive (CustomLog /var/log/apache2/access_log combinedvhost) as shown below:
CustomLog "/var/log/apache2/access_log" combinedvhost env=!forwarded
CustomLog "/var/log/apache2/access_log" combinedvhostproxy env=forwarded
While this web site: http://www.techstacks.com/howto/log-client-ip-and-xforwarded for-ip-in-apache.htm l
Offers some more detail:
There are several changes you are going to want to make to the default format in order to log the X-Forwarded-For client ip address or the real client ip address if the X-Forwarded-For header does not exist. Those changes are below:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "logs/access_log" combined env=!forwarded
CustomLog "logs/access_log" proxy env=forwarded
I have not successfully incorporated these changes to my config yet but this information seems to provide clues as to how it is to be done.
|
|
|
|
| Re: Kerio connect behind apache reverse proxy [message #133211 is a reply to message #133191] |
Sun, 04 December 2016 22:20 |
anarvey
Messages: 72
Registered: May 2007
|
|
|
|
I briefly tested one server just now and when I access the server's web interface from outside that office and then inspect the Audit log I am seeing the i.p. address of my external web browser computer and not the proxy internal address.
Turns out hat test was when Safari flopped over to using the actual port 8103 direct.
When Safari was going through port 443 it is as you said: i.e. the logs are recording the address of the apache reverse proxy server and not the requesting client i.p. address.
We will have to see if we can do some sort of X-Forwarded-For
|
|
|
|
| Re: Kerio connect behind apache reverse proxy [message #133212 is a reply to message #133211] |
Sun, 04 December 2016 22:28 |
niitro
Messages: 3
Registered: March 2016
|
|
|
|
anarvey wrote on Sun, 04 December 2016 22:20
When Safari was going through port 443 it is as you said: i.e. the logs are recording the address of the apache reverse proxy server and not the requesting client i.p. address.
We will have to see if we can do some sort of X-Forwarded-For
Same for me. Also with active sync on port 443, the ip is the reverse proxy one.
It's a problem, if someone lock his account it also locking the ip of the reverse proxy.
Is there a solution to use the X-Forwarded-For ip?
|
|
|
|
| Re: Kerio connect behind apache reverse proxy [message #133216 is a reply to message #133212] |
Mon, 05 December 2016 06:00 |
martine
Messages: 5
Registered: July 2014
|
|
|
|
niitro wrote on Sun, 04 December 2016 22:28anarvey wrote on Sun, 04 December 2016 22:20
When Safari was going through port 443 it is as you said: i.e. the logs are recording the address of the apache reverse proxy server and not the requesting client i.p. address.
We will have to see if we can do some sort of X-Forwarded-For
Same for me. Also with active sync on port 443, the ip is the reverse proxy one.
It's a problem, if someone lock his account it also locking the ip of the reverse proxy.
Is there a solution to use the X-Forwarded-For ip?
Looking forward to this feature.
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
