Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio connect behind apache reverse proxy
  •  
niitro

Messages: 3
Karma: 0
Send a private message to this user
Hi team,
I'm testing the kerio connect solution.
I need to run it behind an apache reverse proxy and I want to see the client ip and not the reverse proxy ip.
Did you know what I could do?
Is it possible to use the "X-Forwarded-For"?
Many thanks.
  •  
anarvey

Messages: 38
Karma: 4
Send a private message to this user
Have you checked out the guide to setting up Reverse Proxy on OS X Server for Kerio Connect?

See the RAIS page at:

http://rais.precursor.ca

under the Tutorials section.
  •  
martine

Messages: 5
Karma: 0
Send a private message to this user
Dit you get this working some how? Kerio is working for me behind a reverse apache proxy (2.4) but in the kerio connect logging I only see the ip address of the proxy, I would like to see the real ip addresses of the client
  •  
martine

Messages: 5
Karma: 0
Send a private message to this user
niitro wrote on Thu, 24 March 2016 16:54
Hi team,
I'm testing the kerio connect solution.
I need to run it behind an apache reverse proxy and I want to see the client ip and not the reverse proxy ip.
Did you know what I could do?
Is it possible to use the "X-Forwarded-For"?
Many thanks.


Dit you get this working some how? Kerio is working for me behind a reverse apache proxy (2.4) but in the kerio connect logging I only see the ip address of the proxy, I would like to see the real ip addresses of the client
  •  
anarvey

Messages: 38
Karma: 4
Send a private message to this user
Which log are you talking about?
  •  
martine

Messages: 5
Karma: 0
Send a private message to this user
I'm talking about for example audit en operations logs. When I access kerio via webmail interface or via activesync I see the IP address in the proxy in de logging and I would like to see the real clients ip adress.

I configured X-Forwarded-For header on the proxy but I don't know where to set in kerio to use the ip in X-Forwarded-For instead of the proxy ip.

When I proxy to an apache webserver instead of kerio I user RemoteIPHeader X-Forwarded-For in the webserver configuration to show the original IP address.

regards
  •  
anarvey

Messages: 38
Karma: 4
Send a private message to this user
I have this reverse proxy going on a variety of clients sites. They are all using macOS Server 5.2 and Kerio Connect 9.2 and the isntructions from my latest tutorial (v. 2.0.2) on Reverse Proxy at the RAIS page <rais.precursor.ca>.

I briefly tested one server just now and when I access the server's web interface from outside that office and then inspect the Audit log I am seeing the i.p. address of my external web browser computer and not the proxy internal address.

I have not implemented any X-Forwarded-For headers.

I seem to remember having your problem in earlier versions of OS X Server but in macOS Server 5.2 I am not experiencing it - probably due to the massive changes in the way it proxies ALL custom web-sites.

What versions of the OS and server.app are you using?


  •  
martine

Messages: 5
Karma: 0
Send a private message to this user
I think then it is probably OS related. I will have a closer look on you tutorial. I running RHEL 7 with KC 9.2. Thanks for your replies.
  •  
anarvey

Messages: 38
Karma: 4
Send a private message to this user
The Read Me in macOS Server 5.2 at: /Library/Server/Web/Config/Apache2/ReadMe.txt states:

Correct Apache HTTPD access and error logging
For websites the IP address 127.0.0.1 is output to the Apache HTTPD access and error logs instead of the user's actual IP address.
Edit the virtual host file for the custom site and change the CustomLog directive (CustomLog /var/log/apache2/access_log combinedvhost) as shown below:

CustomLog "/var/log/apache2/access_log" combinedvhost env=!forwarded

CustomLog "/var/log/apache2/access_log" combinedvhostproxy env=forwarded

While this web site: http://www.techstacks.com/howto/log-client-ip-and-xforwarded for-ip-in-apache.htm l
Offers some more detail:


There are several changes you are going to want to make to the default format in order to log the X-Forwarded-For client ip address or the real client ip address if the X-Forwarded-For header does not exist. Those changes are below:


LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "logs/access_log" combined env=!forwarded
CustomLog "logs/access_log" proxy env=forwarded

I have not successfully incorporated these changes to my config yet but this information seems to provide clues as to how it is to be done.
  •  
anarvey

Messages: 38
Karma: 4
Send a private message to this user
I briefly tested one server just now and when I access the server's web interface from outside that office and then inspect the Audit log I am seeing the i.p. address of my external web browser computer and not the proxy internal address.


Turns out hat test was when Safari flopped over to using the actual port 8103 direct.

When Safari was going through port 443 it is as you said: i.e. the logs are recording the address of the apache reverse proxy server and not the requesting client i.p. address.

We will have to see if we can do some sort of X-Forwarded-For
  •  
niitro

Messages: 3
Karma: 0
Send a private message to this user
anarvey wrote on Sun, 04 December 2016 22:20


When Safari was going through port 443 it is as you said: i.e. the logs are recording the address of the apache reverse proxy server and not the requesting client i.p. address.

We will have to see if we can do some sort of X-Forwarded-For



Same for me. Also with active sync on port 443, the ip is the reverse proxy one.

It's a problem, if someone lock his account it also locking the ip of the reverse proxy.

Is there a solution to use the X-Forwarded-For ip?
  •  
martine

Messages: 5
Karma: 0
Send a private message to this user
niitro wrote on Sun, 04 December 2016 22:28
anarvey wrote on Sun, 04 December 2016 22:20


When Safari was going through port 443 it is as you said: i.e. the logs are recording the address of the apache reverse proxy server and not the requesting client i.p. address.

We will have to see if we can do some sort of X-Forwarded-For



Same for me. Also with active sync on port 443, the ip is the reverse proxy one.

It's a problem, if someone lock his account it also locking the ip of the reverse proxy.

Is there a solution to use the X-Forwarded-For ip?


Looking forward to this feature.
  •  
anarvey

Messages: 38
Karma: 4
Send a private message to this user
I think we are going to have submit a feature request for apache X-FORWARDED-FOR headers to get logged in Kerio Connect log files.

http://forums.kerio.com/t/5908/feature-requests-amp-how-to-c ontact-kerio-support/
Previous Topic: Outbox Renamed - "Delivered"
Next Topic: External File Handler Support
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Jul 22 04:53:10 CEST 2017

Total time taken to generate the page: 0.00521 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.