[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#425008: marked as done (apache2: handle X-FORWARDED-FOR by default)



Your message dated Fri, 07 Dec 2007 23:32:03 +0000
with message-id <E1J0mfr-0004J3-Pg@ries.debian.org>
and subject line Bug#425008: fixed in apache2 2.2.6-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: apache2
Version: 2.2.3-3.3
Severity: wishlist

When running apache2 from behind a proxy, the default log format
does not honor the X-Forwarded-For header. The attached patch modifies
the default format so that it is honored when present and has no effect
when not present.

--- a/etc/apache2/apache2.conf	Thu May 03 23:57:15 2007 +0200
+++ b/etc/apache2/apache2.conf	Thu May 03 23:59:07 2007 +0200
@@ -199,9 +199,12 @@ Include /etc/apache2/conf.d/
 # a CustomLog directive (see below).
 #
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_forwarded
 LogFormat "%h %l %u %t \"%r\" %>s %b" common
 LogFormat "%{Referer}i -> %U" referer
 LogFormat "%{User-agent}i" agent
+
+SetEnvIfNoCase X-Forwarded-For "." from_proxy=1
 
 #
 # ServerTokens
--- a/etc/apache2/sites-available/default	Thu May 03 23:57:15 2007 +0200
+++ b/etc/apache2/sites-available/default	Thu May 03 23:59:07 2007 +0200
@@ -34,7 +34,8 @@ NameVirtualHost *
 	# alert, emerg.
 	LogLevel warn
 
-	CustomLog /var/log/apache2/access.log combined
+	CustomLog /var/log/apache2/access.log combined env=!from_proxy
+	CustomLog /var/log/apache2/access.log combined_forwarded env=from_proxy
 	ServerSignature On

http://garden.dachary.org/universe.html#%5B%5BApache%20x-forwarded-for%20log%20when%20behind%20a%20proxy%5D%5D

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-vserver-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.2.3-3.3  Traditional model for Apache HTTPD

apache2 recommends no packages.

-- no debconf information


--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.2.6-3

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-dbg_2.2.6-3_i386.deb
  to pool/main/a/apache2/apache2-dbg_2.2.6-3_i386.deb
apache2-doc_2.2.6-3_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.6-3_all.deb
apache2-mpm-event_2.2.6-3_i386.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.6-3_i386.deb
apache2-mpm-perchild_2.2.6-3_all.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.2.6-3_all.deb
apache2-mpm-prefork_2.2.6-3_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.6-3_i386.deb
apache2-mpm-worker_2.2.6-3_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.6-3_i386.deb
apache2-prefork-dev_2.2.6-3_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.6-3_i386.deb
apache2-src_2.2.6-3_all.deb
  to pool/main/a/apache2/apache2-src_2.2.6-3_all.deb
apache2-threaded-dev_2.2.6-3_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.6-3_i386.deb
apache2-utils_2.2.6-3_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.6-3_i386.deb
apache2.2-common_2.2.6-3_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.6-3_i386.deb
apache2_2.2.6-3.diff.gz
  to pool/main/a/apache2/apache2_2.2.6-3.diff.gz
apache2_2.2.6-3.dsc
  to pool/main/a/apache2/apache2_2.2.6-3.dsc
apache2_2.2.6-3_all.deb
  to pool/main/a/apache2/apache2_2.2.6-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 425008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 07 Dec 2007 22:38:59 +0100
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-dbg apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.6-3
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Next generation, scalable, extendable web server
 apache2-dbg - Apache debugging symbols
 apache2-doc - documentation for apache2
 apache2-mpm-event - Event driven model for Apache HTTPD
 apache2-mpm-perchild - Transitional package - please remove
 apache2-mpm-prefork - Traditional model for Apache HTTPD
 apache2-mpm-worker - High speed threaded model for Apache HTTPD
 apache2-prefork-dev - development headers for apache2
 apache2-src - Apache source code
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 apache2.2-common - Next generation, scalable, extendable web server
Closes: 255443 425008 450867
Changes: 
 apache2 (2.2.6-3) unstable; urgency=low
 .
   * Allocate fewer bucket brigades in case of a flush bucket. This might help
     with the memory leaks reported in #399776 and #421557.
   * Escape the HTTP method in error messages to avoid potential cross site
     scripting vulnerabilities (CVE-2007-6203).
   * Update 053_bad_file_descriptor_PR42829.dpatch to avoid a race condition.
   * Redirect /doc/apache2-doc/manual/ to /manual/ in the apache2-doc config
     (Closes: #450867).
   * Add icons for .ogg and .ogm (Closes: #255443).
   * Add comment about how to log X-Forwarded-For (Closes: #425008).
   * Make mod_proxy_balancer not depend on mod_cache.
   * Add Homepage field to debian/control.
   * Add/fix some lintian overrides, fix some warnings.
   * Bump Standards-Version (no changes).
Files: 
 d0709308aaa1e34d70b3c1f2c30e2e9d 1258 web optional apache2_2.2.6-3.dsc
 4c727100246d502443e8d4cb7bd0b563 117860 web optional apache2_2.2.6-3.diff.gz
 4ba07ff625ae3a7b82d284b41f6d6091 747690 web optional apache2.2-common_2.2.6-3_i386.deb
 f20d8c43d5f895c46d3835940567b245 227086 web optional apache2-mpm-worker_2.2.6-3_i386.deb
 c072de5dbc9b9d54d5c7c3a341dc76a2 223486 web optional apache2-mpm-prefork_2.2.6-3_i386.deb
 68d316bd9feed6e160db53360498db82 227762 web optional apache2-mpm-event_2.2.6-3_i386.deb
 cee789e467de0a674fafe09d934902b9 134610 web optional apache2-utils_2.2.6-3_i386.deb
 9bfc5b5d7ddb3f3679fd4058b518a1a0 200862 devel extra apache2-prefork-dev_2.2.6-3_i386.deb
 4bbbe212951415248cdfca4143df505f 201546 devel extra apache2-threaded-dev_2.2.6-3_i386.deb
 47141ab05aca9c2abd6d637a14850df7 2277434 libdevel extra apache2-dbg_2.2.6-3_i386.deb
 232f6cbc7dc57f247da3d767e0fedb5b 66570 web optional apache2-mpm-perchild_2.2.6-3_all.deb
 454a202e970f763ceb327d1eeba8e870 42528 web optional apache2_2.2.6-3_all.deb
 7fc6d649c73c5a01e9e687f0f6792ac0 2010790 doc optional apache2-doc_2.2.6-3_all.deb
 38eaee43e46a2df9f8d878f048539964 6297250 devel extra apache2-src_2.2.6-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHWdTEbxelr8HyTqQRAsjcAKCIn8FCOBJW3DDh6Amh706eUzstSgCfbmQs
2C18/pw298il80TwF7/MUEA=
=dEQI
-----END PGP SIGNATURE-----



--- End Message ---

Reply to: