From 5627f2aaa9ee3b2502af1760287050d16fc366f1 Mon Sep 17 00:00:00 2001 From: Matthias Pigulla Date: Sun, 4 Oct 2015 21:59:51 +0200 Subject: [PATCH] %a should refer to the client address, not the peer address of the connection. Also make sure %{c}a remains the unmasked peer address. --- README.md | 20 +++++++++++++++++++- mod_log_ipmask.c | 7 ++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a167638..54f79e4 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,24 @@ it is written to log files like the `AccessLog` or `CustomLog`. The `%a` and example `%{16}a` will only use the first 16 bits (two octets) of the remote IP address. +Since Apache 2.4, the [internal data structures distinguish](http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html#upgrading_byfunction) +the client's (or user agent's) IP address from the peer's address in the underlying +connection. This difference comes into play when forwarding connections, for example in reverse +proxy setups or with load balancers. + +The `%a` placeholder in [mod_log_config](http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats) refers +to the IP address of the client, that is, the actual *user agent*. This value can be masked by means +of this module. + +The additional `%{c}a` can be used to log the load balancer's IP address. This value *is not masked* by this module. + +The `%h` placeholder may resolve to either a hostname or an IP address, depending on the `HostnameLookups` setting +and/or the usage of hostname-based access control directives. Be aware that a mask (as in `%{16}h`) will *only* be +applied when an IP address is found. In other words, when the hostname gets resolved, it will reveal the actual +client address. + +## Why? Who? What? + Masking IP addresses in part or entirely is required by Germany's Telemedia Act. Keeping only partially masked IP addresses in logfiles still allows you to perform web analytics without having to process personal data. @@ -22,6 +40,6 @@ Changes against the original version: * Minimal change required to make this module work with Apache 2.4. * Removed the enforced masking of the last octet. By default, it will - still be masked, but you can configure your log format with `%{32}h` + still be masked, but you can configure your log format with `%{32}a` to get full IP addresses if you wish. diff --git a/mod_log_ipmask.c b/mod_log_ipmask.c index 873346b..25d2702 100755 --- a/mod_log_ipmask.c +++ b/mod_log_ipmask.c @@ -165,7 +165,12 @@ static const char *log_remote_address_masked(request_rec* pRequest, char* pszMas { char* pszAddress; - pszAddress = pRequest->connection->client_ip; + if (!strcmp(pszMask, "c")) { + // Apache 2.4: %{c}a ist die IP-Adresse der Connection, mglw. ein Proxy + return pRequest->connection->client_ip; + } + + pszAddress = pRequest->useragent_ip; return get_filtered_ip(pszAddress, pszMask, pRequest->pool); }