This document describes the procedure for configuring an Apache Web server to log client IP addresses based on the value contained within a custom HTTP header inserted by a NetScaler device.
Requirements
This procedure is relevant to a topology similar to the one shown in the illustration, where Apache Web server(s) are located behind one (or more) NetScaler device(s), and traffic destined for the Web servers passes through the NetScaler en route to the Web servers. Though a two-arm configuration is depicted, this procedure is also relevant to a one-arm configuration.
It is assumed that the NetScaler device has been configured correctly so that it is possible to access content on the Web servers by making a HTTP request to the external virtual IP (VIP) of the NetScaler. This may require DNS entries to be made to map a DNS address (for example, www.company.com) to the VIP.
This procedure has been tested on Apache versions 1.3 and 2.0.
Background
In the scenario depicted above, HTTP requests to the Web servers appear, at the network layer, to originate from the Mapped IP (MIP) of the NetScaler device, as the source IP address in the request packets will be set to the MIP (5.6.7.8 in the example). In most configurations, responses from the Web servers pass through the NetScaler which reverses the address translation before forwarding the response back to the client. In this way the internal Web servers are hidden from the client, who sees only the virtual IP 1.2.3.4.
The problem with this configuration is that the Web server logs will show the MIP 5.6.7.8 for all client requests. This may not be desirable in environments which require the IP address of all Web accesses to be logged for accounting, security, or other purposes.
This document provides a procedure to configure this environment so that the Apache server(s) may record the actual IP address of the client in the log file.
Procedure
The procedure involves making modifications to the configuration of both the NetScaler and the Apache server(s).
- On the NetScaler
- On the Apache server
Execute the following command at the CLI to configure the appropriate service to append a custom HTTP header to requests:
> set service
This command should be repeated for every service requiring the feature. The NS-Client-IP value is arbitrary and may be set to whatever is desired. This will be the name of the HTTP header appended to the requests.
Requests from the NetScaler to the Web servers now have an extra field as shown in the following trace:
GET / HTTP/1.1
Host: www.test.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
NS-Client-IP: 10.60.1.166
Using a text editor, modify the httpd.conf file (location of this file depends on configuration, but is likely to be /etc/httpd.conf or
Add the following lines to httpd.conf (which generates a new, separate log file) – or locate the existing lines with the same directives and modify them (which changes the parameters for an existing log file):
LogFormat "%{NS-Client-IP}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"\"%{User-Agent}i\"" ns-access
CustomLog
Replace
Save the configuration file and restart the HTTP daemon using the following command:
# httpd –k restart
Note: You will have to specify a full path the httpd binary if it is not located in one of the directories specified in the $PATH environment variable.
Repeat this process on each Apache server in the farm.
没有评论:
发表评论