diff --git a/README.md b/README.md index cd6f088..0a5b68b 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Configuration Optional -- manage remoteIP logging if running behind a Loadbalancer like HAproxy: if `ae_use_lb` is set to `true`, a configuration file `etc/httpd/conf.d/loadbalancer-remoteip.conf`is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set `ae_trusted_proxy`to the proper IP or range for the loadbalancer! +- manage remoteIP logging if running behind a Loadbalancer like HAproxy: if `ae_use_lb` is set to `true`, a configuration file `etc/httpd/conf.d/loadbalancer-remoteip.conf`is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set `ae_trusted_proxy` and `ae_internal_proxy` to the proper IP or range for the loadbalancer! Maintenance diff --git a/manifests/params.pp b/manifests/params.pp index 736af28..b780c2c 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -30,9 +30,12 @@ # to apply the changes. This is required when using httpd behind a # load balancer like haproxy, otherwise all client ips will be logged # as the load balancer ip. -# @param [String] ae_trusted_proxy the IP address of the trusted proxy, -# i.e. the load balancer. This is required when `ae_use_lb` is set to -# true, and defaults to '10.0.1.0/24'. +# @param [Array] ae_trusted_proxy the IP addresses of the trusted proxies, +# i.e. the load balancers. This is required when `ae_use_lb` is set to +# true, and defaults to ['127.0.0.1','10.0.1.0/24']. +# @param [Array] ae_internal_proxy the IP addresses of the internal proxies, +# i.e. the internal load balancers. This is required when `ae_use_lb` is set to +# true, and defaults to ['127.0.0.1']. ########################################################################### class confdroid_apache::params ( @@ -58,7 +61,8 @@ class confdroid_apache::params ( # loadbalancer Boolean $ae_use_lb = false, - String $ae_trusted_proxy = '10.0.1.0/24', + Array $ae_trusted_proxy = ['127.0.0.1','10.0.1.0/24'], + Array $ae_internal_proxy = ['127.0.0.1','10.0.1.0/24'], ) { # facts diff --git a/templates/loadbalancer/remoteip.conf.erb b/templates/loadbalancer/remoteip.conf.erb index a562fdb..9d5fc8e 100644 --- a/templates/loadbalancer/remoteip.conf.erb +++ b/templates/loadbalancer/remoteip.conf.erb @@ -3,10 +3,17 @@ ########## manual changes will be overwritten !!! ########## ############################################################################### -RemoteIPHeader X-Forwarded-For -RemoteIPTrustedProxy <%= @ae_trusted_proxy %> -RemoteIPInternalProxy <%= @ae_trusted_proxy %> + + RemoteIPHeader <%= @remoteip_header %> + <% @trusted_proxies.each do |proxy| -%> + RemoteIPTrustedProxy <%= proxy %> + <% end -%> + <% @internal_proxies.each do |proxy| -%> + RemoteIPInternalProxy <%= proxy %> + <% end -%> + + # Use real client IP in all standard log formats + LogFormat "%a %l %u %t \"%r\" %>s %b" common + LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined + -# mod_remoteip rewrites client address for %a; use it in common/combined logs. -LogFormat "%a %l %u %t \"%r\" %>s %b" common -LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined