How to add X-Forwarded-for header in reverse proxy with SSL passthrough
What you show is not SSL passthrough, but SSL termination at the reverse proxy and from there another HTTPS connection to the final server. According to the documentation this will automatically add the X-Forwarded-Header
to the new request to the final server, so no special configurations for this need to be done at the reverse proxy.
To actually log this header with %a
at the final server (Apache too) one has to interpret this header set by the proxy accordingly. For this mod_remoteip can be used and RemoteIPHeader
should be set X-Forwarded-For
- as you (wrongly) did in the configuration for the reverse proxy.
Related videos on Youtube
Bram
Updated on September 18, 2022Comments
-
Bram over 1 year
Setup as follows:
- proxy server (RHEL8 apache 2.4) in DMZ
- contains multiple vhosts
- each vhost acts as a reverse proxy to a web server in the LAN
- connections from the proxy to the backend web server are secured via SSL
- backend server (RHEL8 apache 2.4) in LAN
Problem to solve Currently the apache access log of the backend server shows the IP of the proxy instead of the originating client IP. I want to ensure the client IP (who is connecting to the proxy) to be logged in the access log of the backend apache server.
Numerous howto's on the web (e.g. How to get X-Forwarded-For IP addresses in Apache Web Server) propose to use
RemoteIPHeader X-Forwarded-For
.However it seems that this only works when the proxy connection to the backend uses HTTP. (discussion on linode forum.)
The proxy server has both the public and private keys of the SSL certifcate.
How can I configure the proxy server to add the
X-Forwarded-for
header while keeping the SSL connection to the backend?Virtual host configuration of the proxy server (with IP 192.168.1.2):
<VirtualHost *:443> ServerName service.example.com SSLEngine on SSLCipherSuite AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCompression off SSLCertificateFile /etc/pki/tls/certs/service_example_com.crt SSLCertificateKeyFile /etc/pki/tls/private/service_example_com.key SSLCertificateChainFile /etc/pki/tls/certs/CA.crt SSLProxyEngine on ProxyPass / https://backend-1.anubex.com/ ProxyPassReverse / https://backend-1.anubex.com/ RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 192.168.1.2 </VirtualHost>
-
Steffen Ullrich over 3 yearsThis is impossible with SSL pass through - i.e. passing the original SSL traffic though. The HTTP headers are in the encrypted part then and thus non can be added or changed. But given that you have cert and key of the server, why do you want to use SSL pass through in the first place? Why not terminate SSL, add the header and then make another SSL connection to the final server? This would just be a normal SSL terminating reverse proxy, only that the upstream is accessed with a
https://
URL too. -
Bram over 3 years@Steffen-Ullrich can you elaborate a bit please? I added the virtual host of the proxy server to my question to ensure I've explained my setup correctly. I can't find proper documentation explaining the various proxy setups and I'm not sure if what I've set up is a pass through set up or not.
-
Steffen Ullrich over 3 yearsThe configuration you've posted looks good. What is not working with this? And no, it is not SSL pass through what you have configured but you are terminating the SSL connection at the reverse proxy and create another SSL connection from the proxy - where the header should be added. Also, based on this documentation the header should be added even if not explicitly configured. And
RemoteIPHeader
does not set the header but just uses it. -
Bram over 3 yearsThanks for reviewing this. I am still getting the IP address of the proxy server in the access log on the backend server. (192.168.1.2 in this example) instead of the IP address of the client connecting to the proxy. I have updated the
LogFormat
to use%a
instead of%h
which should log the value of theX-forwarded-for
header. -
Steffen Ullrich over 3 years
%a
will only log the X-Forwarded-For if mod_remoteip is accordingly configured in the backend. It does not help to setRemoteIPHeader
in the reverse proxy, it must be applied in the backend. My guess that your problem is less to set the header in the proxy but to read the header in the backend. -
Bram over 3 yearsThanks @SteffenUllrich! If you post this as an answer I'll accept it. The
RemoteIPHeader
andRemoteIPInternalProxy
settings need to be specified in the virtual host of the backend rather than the proxy.
- proxy server (RHEL8 apache 2.4) in DMZ