I received the answer on stackexchange: https://unix.stackexchange.com/questions/627492/how-to-add-x-forwarded-for-header-in-reverse-proxy-with-ssl-passthrough and would like to share it here in the hope it can help someone else.
My mistake was that I added the RemoteIPHeader and RemoteIPInternalProxy directives on the proxy server. My assumption was that the proxy needed to be told to add the headers. In fact these directives need to be added in the backend (vhost) config to tell the backend server to update the headers. For me the description on https://httpd.apache.org/docs/current/mod/mod_remoteip.html does not make this clear. Where/How can I suggest an update to this page? -----Original Message----- From: Bram Mertens <bram.mert...@anubex.com> Sent: Monday, 4 January 2021 19:41 To: users@httpd.apache.org Subject: [users@httpd] How to add X-Forwarded-for header in reverse proxy with SSL passthrough Setup as follows: - proxy server (RHEL8 apache 2.4) in DMZ - contains multiple vhosts - each vhost acts as a reverse proxy to a web server in the LAN - connections from the proxy to the backend web server are secured via SSL - backend server (RHEL8 apache 2.4) in LAN Problem to solve: Currently the apache access log of the backend server shows the IP of the proxy instead of the originating client IP. I want to ensure the client IP (who is connecting to the proxy) to be logged in the access log of the backend apache server. Numerous howto's on the web (e.g. https://www.globo.tech/learning-center/x-forwarded-for-ip-apache-web-server/) propose to use RemoteIPHeader X-Forwarded-For. However it seems that this only works when the proxy connection to the backend uses HTTP. (https://www.linode.com/community/questions/6351/ideas-to-get-x-forwarded-for-working-for-httpsnode-balancer and the "Effectiveness" comment on https://httpd.apache.org/docs/2.4/en/mod/mod_proxy.html#proxyaddheaders.) The proxy server has both the public and private keys of the SSL certifcate. How can I configure the proxy server to add the X-Forwarded-for header while keeping the SSL connection to the backend? Thanks in advance Bram --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
