Project

General

Profile

Tâche #19336

Scénario #19322: Ajouter l'adresse du bridge interne à la liste des reverse-proxy connus sur AmonEcole

Correction SCRIBE-T10-005 - Pas 18 - "Le serveur web est derrière un reverse proxy" (2.6.1-b3)

Added by Gwenael Remond about 3 years ago. Updated about 3 years ago.

Status:
Fermé
Priority:
Normal
Assigned To:
Start date:
02/09/2017
Due date:
% Done:

100%

Estimated time:
3.00 h
Spent time:
Remaining (hours):
0.0

Description

C'est l'IP de l'amon qui apparaît dans les logs et pas l'ip de mon poste de travail :

==> /var/log/apache2/ssl_access.log <==
10.1.3.1 10.1.3.1 [23/Feb/2017:10:59:25 +0100] "POST /roundcube/?_task=mail&_action=refresh HTTP/1.0" 200 795

==> /var/log/apache2/ssl_error.log <==
[Thu Feb 23 11:02:25.603106 2017] [ssl:info] [pid 3162] [client 10.1.3.1:57056] AH01964: Connection to child 5 established (server etb1.ac-test.fr:443)

==> /var/log/apache2/ssl_access.log <==
10.1.3.1 10.1.3.1 [23/Feb/2017:11:02:25 +0100] "POST /roundcube/?_task=mail&_action=refresh HTTP/1.0" 200 793

Voir http://squash-tm.eole.lan/squash/executions/4677

Associated revisions

Revision 94347af4 (diff)
Added by Daniel Dehennin about 3 years ago

Apache on Scribe does not log client IP address

Since eole-reverseproxy is installed everywhere, the
web_behind_revproxy_ip is forced to 127.0.0.1 on all modules except
AmonEcole.

We should be able to manually define it on every modules except AmonEcole.

  • dicos/25_nginx.xml: Do not enable “activer_web_behind_revproxy” if
    it does not exist yet.
    Remove automatic calculation of “web_behind_revproxy_ip”.
  • tmpl/nginx.default: Restore the “X-Forwarded-For” header set since
    c16848 broke logs and authorisation from outside.

This partially reverts commit c16848cb0b50288e15cdfbf544b3d88563b1e55c.

Ref: #19336

Revision cd0ee023 (diff)
Added by Daniel Dehennin about 3 years ago

AmonEcole: automatically set “web_behind_revproxy_ip” to br0 IP

  • dicos/50_amonecole.xml: Import calcul from 25_nginx.xml.

Ref: #19336

History

#1 Updated by Gwenael Remond about 3 years ago

  • Subject changed from Correction SCRIBE-T09c-001 - Pas 18 - "Le serveur web est derrière un reverse proxy" (2.6.1-b3) to Correction SCRIBE-T10-005 - Pas 18 - "Le serveur web est derrière un reverse proxy" (2.6.1-b3)

#2 Updated by Daniel Dehennin about 3 years ago

  • Description updated (diff)

#3 Updated by Scrum Master about 3 years ago

  • Parent task changed from #19020 to #19322

à vérifier, ce n'est pas le même pb que sur AmonEcole mais cela concerne la même fonctionnalité.

#4 Updated by Daniel Dehennin about 3 years ago

  • Status changed from Nouveau to En cours
  • Assigned To set to Daniel Dehennin
  • Estimated time set to 3.00 h
  • Remaining (hours) set to 3.0

#5 Updated by Daniel Dehennin about 3 years ago

  • % Done changed from 0 to 100
  • Remaining (hours) changed from 3.0 to 0.25
Testé :
  • Sur AmonEcole, l’IP web_behind_revproxy_ip est calculée automatiquement sur l’IP de br0, l’IP du client est visible dans les logs d’apache s’il vient depuis l’extérieur
  • Sur Scribe, l’IP web_behind_revproxy_ip est a définir manuellement, l’IP du client est visible dans les logs d’apache s’il vient depuis l’extérieur d’Amon
  • Sur eolebase, l’IP du client est bien stockée dans les logs Nginx.

#6 Updated by Scrum Master about 3 years ago

  • Status changed from En cours to Résolu

#7 Updated by Gérald Schwartzmann about 3 years ago

root@scribe:~# CreoleGet --list | grep web_behind_revproxy
activer_web_behind_revproxy="oui" 
web_behind_revproxy_ip="10.1.3.1" 

root@scribe:~# tail -fn0 $(CreoleGet container_path_web)/var/log/apache2/*.log
==> /var/log/apache2/access.log <==

==> /var/log/apache2/error.log <==

==> /var/log/apache2/other_vhosts_access.log <==

==> /var/log/apache2/ssl_access.log <==

==> /var/log/apache2/ssl_error.log <==
[Fri Mar 03 17:29:42.772598 2017] [ssl:info] [pid 21865] [client 10.1.3.1:51984] AH01964: Connection to child 4 established (server etb1.ac-test.fr:443)

==> /var/log/apache2/ssl_access.log <==
192.168.230.156 10.1.3.1 [03/Mar/2017:17:29:42 +0100] "GET /roundcube/ HTTP/1.0" 302 2262

==> /var/log/apache2/ssl_error.log <==
[Fri Mar 03 17:29:43.024070 2017] [ssl:info] [pid 21863] [client 10.1.3.1:51986] AH01964: Connection to child 2 established (server etb1.ac-test.fr:443)

==> /var/log/apache2/ssl_access.log <==
192.168.230.156 10.1.3.1 [03/Mar/2017:17:29:43 +0100] "GET /roundcube/?_task=mail&_action=login HTTP/1.0" 302 2898

root@eolebase:~# CreoleGet --list | grep web_behind_revproxy
activer_web_behind_revproxy="non" 
root@eolebase:~#
root@eolebase:~# tail -fn0 $(CreoleGet container_path_web)/var/log/nginx/*.log
root - Variable inconnue container_path_web
==> /var/log/nginx/access.log <==

==> /var/log/nginx/ead3-access.log <==

==> /var/log/nginx/ead3-error.log <==

==> /var/log/nginx/error.log <==

==> /var/log/nginx/revprox.revprox_http.access-ssl.log <==
192.168.230.156 - - [03/Mar/2017:17:31:51 +0100] "GET / HTTP/1.1" 200 396 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0" 

==> /var/log/nginx/error.log <==
2017/03/03 17:31:51 [error] 1318#1318: *2 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 192.168.230.156, server: eolebase.ac-test.fr, request: "GET /favicon.ico HTTP/1.1", host: "eolebase.ac-test.fr" 

==> /var/log/nginx/revprox.revprox_http.access-ssl.log <==
192.168.230.156 - - [03/Mar/2017:17:31:51 +0100] "GET /favicon.ico HTTP/1.1" 404 374 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0" 

root@amonecole:~# CreoleGet --list | grep web_behind_revproxy
activer_web_behind_revproxy="oui" 
web_behind_revproxy_ip="192.0.2.1" 
root@amonecole:~# 

root@amonecole:~# tail -fn0 $(CreoleGet container_path_web)/var/log/apache2/*.log
==> /var/lib/lxc/reseau/rootfs/var/log/apache2/access.log <==

==> /var/lib/lxc/reseau/rootfs/var/log/apache2/error.log <==

==> /var/lib/lxc/reseau/rootfs/var/log/apache2/other_vhosts_access.log <==

==> /var/lib/lxc/reseau/rootfs/var/log/apache2/ssl_access.log <==

==> /var/lib/lxc/reseau/rootfs/var/log/apache2/ssl_error.log <==
[Fri Mar 03 17:45:07.961797 2017] [ssl:info] [pid 16376] [client 192.0.2.1:44800] AH01964: Connection to child 0 established (server etb3.ac-test.fr:443)

==> /var/lib/lxc/reseau/rootfs/var/log/apache2/ssl_access.log <==
192.168.230.156 192.0.2.1 [03/Mar/2017:17:45:07 +0100] "GET / HTTP/1.0" 301 2290

==> /var/lib/lxc/reseau/rootfs/var/log/apache2/ssl_error.log <==
[Fri Mar 03 17:45:08.010417 2017] [ssl:info] [pid 16380] [client 192.0.2.1:44802] AH01964: Connection to child 4 established (server etb3.ac-test.fr:443)

==> /var/lib/lxc/reseau/rootfs/var/log/apache2/ssl_access.log <==
192.168.230.156 192.0.2.1 [03/Mar/2017:17:45:08 +0100] "GET /roundcube HTTP/1.0" 301 2292

#8 Updated by Gérald Schwartzmann about 3 years ago

  • Status changed from Résolu to Fermé
  • Remaining (hours) changed from 0.25 to 0.0

Also available in: Atom PDF