Apache SSL Logs

Question

I am trying to figure out how to get the correct source IP for the SSL request which has passed through the load balancer.
&nbsp;I wrote an iRule (got most of it from the iRule downloads section) that is successfully logging regular http requests to the local syslog-ng which then passes to my central logging server:&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;       set the URL here, log it on the response
&nbsp;      set url [HTTP::host]
&nbsp;      set uri [HTTP::uri]
&nbsp;      set vip [IP::local_addr]:[TCP::local_port]
&nbsp;      set meth [HTTP::method]
&nbsp;      set ua [HTTP::header User-Agent]
&nbsp;      set ref [HTTP::header Referer]
&nbsp;      set ver [HTTP::version]
&nbsp;   }&nbsp;&nbsp;
&nbsp;   when HTTP_RESPONSE {
&nbsp;      set client [IP::client_addr]
&nbsp;      set node [IP::server_addr]
&nbsp;      set nodePort [TCP::server_port]
&nbsp;      set nodeResp [HTTP::status]
&nbsp;      set rlen [HTTP::header Content-Length]
&nbsp;      if {$rlen == ""}{
&nbsp;      set rlen 100
&nbsp;      }&nbsp;
&nbsp;       log connection info
&nbsp;      log local0.info "$client - - $$DATE$$ \"$meth $uri HTTP/$ver\" $nodeResp $rlen \"$ref\" \"$ua\""
&nbsp;   }&nbsp;
&nbsp;I know that I don't need to do it this way and XFF is setup and working...this is just a test.
&nbsp;My question comes into play when working with SSL.  This will not work for SSL as the VS does not have an http profile.  However, when logging the SSL connections on Apache I still get the IP of the LB instead of hte actual source IP.  I didn't think that was possible as I had assumed that the header (except for the requesting info) was encrypted and could only be decrypted downstream at the server?  
&nbsp;If the source IP is being altered, there must be a way to either set XFF for SSL, or do something similar to what I hvae done above with regular HTTP requests.&nbsp;
&nbsp;Just trying to figure out how to keep track of the unique IPs that are connecting into the SSL site...

hooleylist · Answer

Hi,&nbsp;
&nbsp;The only way I know of to pass the client IP address would be in the HTTP headers or content.  If you're not decrypting the HTTPS on the BIG-IP you won't be able to view/modify the HTTP to insert this data.&nbsp;
&nbsp;Anyone else have ideas?&nbsp;
&nbsp;Aaron

joe_fontes_4518 · Answer

So, I am running out of ideas of what to try on this.  Was thinking that on a new ssl connection I could always log the client IP to syslog-ng and from there parse it out later.
&nbsp;Of course to get that to work I would need to have some sort of identifier log to both syslog-ng as well as the local apache machine.
&nbsp;Doesn't everyone else have this same problem?  I can't be the only one that maintains site logs for SSL sites.&nbsp;

dennypayne · Answer

If your servers use the BIG-IP as their default gateway, you can preserve the original client IP by not SNAT'ing those connections at the BIG-IP (it preserves client IP by default).  The IP header is not encrypted in SSL, so BIG-IP can still SNAT even with SSL connections.  But if it is not possible for you to configure the network this way (without SNAT), then hoolio is correct, you will need to decrypt the SSL at the BIG-IP in order to be able to manipulate the data in the rest of the headers (ie, using an X-Forwarded-For header to include the original client IP).&nbsp;
&nbsp;Denny

Forum Discussion

Apache SSL Logs

3 Replies

Recent Discussions

Pricing when used with aws waf

F5 Rseries R2600 Tenant sizing

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Related Content

Apache Airflow Unsafe API Endpoint

Apache Style Logging with HSL

F5 SIRT on the Apache Commons Configuration CVE-2022-33980?

Apache Log4j2 (CVE-2021-44228) mitigation iApp

Apache CVE-2022-31813 and the hop-by-hop header mechanism