On Mon, Nov 25, 2024 at 5:31 AM Fabian Grünbichler <f.gruenbich...@proxmox.com> wrote: > > > > Thomas Lamprecht <t.lampre...@proxmox.com> hat am 25.11.2024 12:17 CET > > geschrieben: > > > > > > Am 25.11.24 um 10:05 schrieb Fabian Grünbichler: > > > yeah, we could switch to the new format *only* if the header option is > > > set? > > > as else, the two IPs are identical anyway, so logging the same one twice > > > while breaking the format provides no benefit? > > > > > > and then maybe with 9.0 switch the format unconditionally, so that > > > parsers/fail2ban configs only need to handle one of them going forward.. > > > > Sounds fine to me. Albeit for some this still might break, if they already > > use a reverse proxy now – but these people at least could not have any > > (working) fail2ban, as they just would have banned the IP of their reverse > > proxy, so it should be fine I think. > > it would still require enabling the new feature on the pveproxy side (that's > what I meant with "header option", not that the default header is set on the > HTTP request), so it's completely opt-in?
Yes, to log the real client IP from the proxy, the header would need to be set in the PROXY_REAL_IP_HEADER option anyway to even get the data. If anything, having the option would help those with the "broken" fail2ban have the real client IP data instead of the proxy IP. I don't have any issues with keeping the format as-is and logging the real IP instead of the peer IP. This can be covered in the docs and would have to be explicitly enabled to change the current logging behavior. This way the patch doesn't break any existing log analyzer but the feature is there available for the user. The TRUSTED_PROXY_IPS helps with the risk of not logging the proxy/peer IP by limiting the list of sources that can set the header. > > btw., and sorry if I just missed this on reading, how do others log this? > > I.e., is there any somewhat common format and does this patch already > > adheres to that format? > > that would indeed be nice to know! :) > I'm not sure that there is or is not a standard for logging the client IP and peer/proxy IP information together. In my experience, it has been a custom log format (specifically in Apache httpd) to output both of them. Across products, for web-based logs, I've seen Apache/NCSA style, semi-structured key/value text, or structured JSON objects. I'd argue that the JSON is the most compatible since it explicitly labels the data fields, but that would be a breaking change from what PVE is doing now for logging, and it's not friendly for human readability. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
