production.log contains proxy ip instead real ip

Added by Sven Kilchenmann about 5 years ago

Apache with passenger-install-apache2-module only logs proxy ip

I've set up a Redmine instance with Apache using passenger-install-apache2-module to serve the page.
So far everything works fine. Since we do not have a dmz we installed a reverse proxy (ngnix) which handles the requests of a subdomain to be routed to the Apache instance.

But now the production.log of Redmine always show the public ip of the reverse proxy instead of the real ip.

schween@aff:/usr/share/redmine$ RAILS_ENV=production script/about 

sh: 1: svn: not found
sh: 1: darcs: not found
sh: 1: hg: not found
sh: 1: cvs: not found
sh: 1: bzr: not found
Environment:
  Redmine version                2.6.1.stable
  Ruby version                   2.1.5-p273 (2014-11-13) [x86_64-linux]
  Rails version                  3.2.21
  Environment                    production
  Database adapter               Mysql2
SCM:
  Git                            1.9.1
  Filesystem                     
Redmine plugins:
  clipboard_image_paste          1.9
  redmine_questions              0.0.5
  redmine_vote                   1.2.1
  redmine_wiki_extensions        0.6.5

Anybody knows how to solve this issue - fast search with google didn't solve my issue.
Thanks for the fish
sCHween

Replies (6)

RE: production.log contains proxy ip instead real ip - Added by Jan Niggemann (redmine.org team member) about 5 years ago

we installed a reverse proxy (ngnix) [...]
But now the production.log of Redmine always show the public ip of the reverse proxy instead of the real ip.

Perhaps I don't understand your question, but what else should be logged than the IP of the reverse proxy?

RE: production.log contains proxy ip instead real ip - Added by Sven Kilchenmann about 5 years ago

I guess the only thing I'm interested in is the real ip instead the proxy ip.
If I got the real ip I can build up some additional things like fail2ban and so on..

RE: production.log contains proxy ip instead real ip - Added by Jan Niggemann (redmine.org team member) about 5 years ago

If possible at all, this is out of the scope of redmine. Please ask in a forum dedicated to the reverse proxy you're using.

IMHO you're trying to do something that's conceptually not reasonable - intrusion prevention needs to take place on your reverse proxy or even further up...

RE: production.log contains proxy ip instead real ip - Added by Pavel Potcheptsov about 5 years ago

Hi, this block of rules in my nginx conf for redmine gives real IPs of local (LAN) and external (Internet) users in production.log

              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $remote_addr;
              proxy_set_header CLIENT_IP $remote_addr;

RE: production.log contains proxy ip instead real ip - Added by Jan Niggemann (redmine.org team member) about 5 years ago

Cool, next time I'll try nginx instead of pound to get to know it some more.
Nevertheless, you should do any filtering / IPS / whatever further up the line (i.e. on the proxy)...

(1-6/6)