Re: [Zope] Re: Access log & trusted proxy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Phillip Hutchings wrote: | On Mon, 21 Mar 2005 12:40:48 -0000 (GMT), Robert (Jamie) Munro | <jamie@textmatters.com> wrote: | |>Is it possible to get zope's access log (Z2.log) to log the IP address of |>the original client, rather than that of the proxy when the proxy is |>listed as a trusted-proxy. Currently, my log files have all clients as |>127.0.0.1, which isn't very helpful when analysing the logs. | | | No, because the proxy initialises a new connection to the Zope server, | so the connection to Zope actually does come from 127.0.0.1, not the | client. Get your proxy to log, it's easier.
Actually, there is a configuration option which tells Zope to trust the "X-Forwarded-For" header from particular proxies:
# Directive: trusted-proxy
[snip details]
I don't know whether that setting has any effect on the address used by the access log, however.
I know that - I even mentioned it in my post, and it doesn't affect what is used in the access log. I think it should, or at least configurably should. I can't find any documentation on what you can put in the log's "format" directive apart from %(message)s, but this would seem to be the place to put it. Getting apache to log works well, but we are using squid for a proxy, and getting it to log is not so easy - at least not if you want the extra things in the detailed logs like reffering pages, browser types and user names. As there didn't seem to be any existing solutions we've had a look at zope's internals, and made a patch that logs the last address from the x-forwarded-for header, rather than the IP address of the proxy where available. I've attached it to this message. As zope is deployed behind a proxy probably 99% of the time, it seems like a good way to work. I've attached the patch below. Robert (Jamie) Munro
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert (Jamie) Munro wrote: | Tres Seaver wrote: |>Actually, there is a configuration option which tells Zope to trust the | | "X-Forwarded-For" header from particular proxies: | |># Directive: trusted-proxy | | [snip details] | |> I don't know whether that setting has any effect on the address |> used by the access log, however. | | I know that - I even mentioned it in my post, and it doesn't affect what | is used in the access log. I think it should, or at least configurably | should. Sorry, I was trying to correct an impression from Phillip's post. | I can't find any documentation on what you can put in the log's | "format" directive apart from %(message)s, but this would seem to be the | place to put it. | | Getting apache to log works well, but we are using squid for a proxy, and | getting it to log is not so easy - at least not if you want the extra | things in the detailed logs like reffering pages, browser types and user | names. Squid supports the "common" log format, as well as user-defined log format strings (in 2.5.x): ~ http://devel.squid-cache.org/customlog/ | As there didn't seem to be any existing solutions we've had a look at | zope's internals, and made a patch that logs the last address from the | x-forwarded-for header, rather than the IP address of the proxy where | available. I've attached it to this message. As zope is deployed behind a | proxy probably 99% of the time, it seems like a good way to work. I've | attached the patch below. Could you open a collector issue, and upload your patch, so that it doesn't get lost in the sea of mail? ~ http://www.zope.org/Collectors/Zope Thanks! Tres. - -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCQDbiGqWXf00rNCgRAkQWAJ97Tn9eAZdhAjRblB1Sreh6HN74bQCfa/b4 46IeVrnh782JqtGjWL7Ykos= =E+SL -----END PGP SIGNATURE-----
participants (2)
-
Robert (Jamie) Munro -
Tres Seaver