10 comments

Add a comment…

Sign in

prestine

Your email address

Check!

invalid email

(thinking…)

Reset

or sign in with

• 
• 

UserVoice password

Forgot password?

Create a password

Your name

I agree to the terms of service

Signed in as (Sign out)

Close

Close

Post comment Submitting...

• Bembel commented  ·  January 22, 2013 2:11 a.m.  ·  Flag as inappropriateFlag as inappropriate  ·  Delete

  Had the same request for being able to use Piwik's GeoIP integration, found the solution myself (@Bastien Bobe : good hint, thanks!) for IIS:

  http://www.astaro.org/gateway-products/web-server-security/45905-waf-geoip.html

  Simply add

  proxy_client_headers[] = HTTP_X_FORWARDED_FOR

  to Piwik's config/config.ini.php

  Cheers,

  Bembel

• ars commented  ·  June 28, 2012 5:11 a.m.  ·  Flag as inappropriateFlag as inappropriate  ·  Delete

  this is needed if you have a ressource with basic authentication in a dmz proxied by the waf and you want to allow internal users to access this ressource without authentication while they use the asg as forward proxy. both external and internal source ips are are the same (dmz interface of the asg) so you cannot use following apache config:

  <Directory "/">
  Order deny,allow
  Deny from all
  AuthType basic
  Require valid-user
  Allow from <INTERNAL NETWORK>
  Satisfy Any
  ....
  </Directory>

• Bastien Bobe commented  ·  July 31, 2011 1:55 p.m.  ·  Flag as inappropriateFlag as inappropriate  ·  Delete

  I have activated the reverse proxy on my ASG and I have configured Apache to get the "forwarded-IP" in the log and in PHP by using RPAF. Just try to do that, it works perfectly on my 3 apache servers (debian and suse).

• Timm Schneider commented  ·  July 30, 2011 2:24 p.m.  ·  Flag as inappropriateFlag as inappropriate  ·  Delete

  Hi Bob,
  no i didn´t asked at the BB, but the Astaro Staff told me, the WAF works only with NAT because the destination IP has to be the one from the ASG.
  You tried it without NAT and it works?

  Bye
  Timm

• Bob Alfson commented  ·  July 30, 2011 12:26 p.m.  ·  Flag as inappropriateFlag as inappropriate  ·  Delete

  Timm, have you asked this question on the User BB? http://www.astaro.org

  Using NAT isn't necessary with WebAppSec.

  Cheers - Bob

• Massimo Dalla Giustina commented  ·  April 8, 2011 6:01 a.m.  ·  Flag as inappropriateFlag as inappropriate  ·  Delete

  Hi Gert, with IIS how can we configure it to log the client IP?
  The main problem is that very often the webserver logs are analyzed by other software that cannot access to the firewall.....

• Stephan Pfeiffer commented  ·  January 7, 2011 4:59 a.m.  ·  Flag as inappropriateFlag as inappropriate  ·  Delete

  This would be great, because public Webservers (in a public IP-Range), can also trust by asg without reconfigure something like DNS-Zonefile for www IP etc.

• mdallagi commented  ·  January 7, 2011 2:46 a.m.  ·  Flag as inappropriateFlag as inappropriate  ·  Delete

  This is request was already done: http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/1280617-transparent-reverse-proxy?ref=title

• Gert Hansen commented  ·  January 6, 2011 1:23 a.m.  ·  Flag as inappropriateFlag as inappropriate  ·  Delete

  Hi, do you need this feature purely to put the original source ip in the log file of the webserver? Because if yes, there might be a workaround which we could improve in the future. As far as i know, we already send the original source ip as an attribute in the http header to the webserver. The webserver now needs to be reconfigured to just log this ip adress instead of the proxy ip.
  Another question is, can't you just use the proxy server logfile? It should hold all information just as the webserver with the correct source ip adresses.
  thx Gert

• Kasi Sama commented  ·  December 22, 2010 9:13 a.m.  ·  Flag as inappropriateFlag as inappropriate  ·  Delete

  For compliance reason we need store remote host IP in our database.