Web Server Protection: Transparent reverse proxy
Please provide the option to use reverse proxy also with transparent mode. This way permits to have the real remote host IP traced on the web server log files instead of the IP of the firewall. Now without transparent mode, every web analyzer software is not able to give real traffic reports...
Every Hoster needs this to secure the Servers, because there is no NAT. When you use off. IP-Addresses in your LAN then you need Transparent "WAS".
Servers protected by ASG's Web Application Firewall see all incoming requests as originating from the ASG's LAN address. In the event of an intrusion or other problem, the web administrator has to try to match-merge the web server's log with that of the ASG proxy. It would be preferable if the WAF proxy could operate transparently so the protected web server sees the address of the actual originating client.
Had the same request for being able to use Piwik's GeoIP integration, found the solution myself (@Bastien Bobe : good hint, thanks!) for IIS:
proxy_client_headers = HTTP_X_FORWARDED_FOR
to Piwik's config/config.ini.php
this is needed if you have a ressource with basic authentication in a dmz proxied by the waf and you want to allow internal users to access this ressource without authentication while they use the asg as forward proxy. both external and internal source ips are are the same (dmz interface of the asg) so you cannot use following apache config:
Deny from all
Allow from <INTERNAL NETWORK>
Bastien Bobe commented
I have activated the reverse proxy on my ASG and I have configured Apache to get the "forwarded-IP" in the log and in PHP by using RPAF. Just try to do that, it works perfectly on my 3 apache servers (debian and suse).
Timm Schneider commented
no i didn´t asked at the BB, but the Astaro Staff told me, the WAF works only with NAT because the destination IP has to be the one from the ASG.
You tried it without NAT and it works?
Bob Alfson commented
Timm, have you asked this question on the User BB? http://www.astaro.org
Using NAT isn't necessary with WebAppSec.
Cheers - Bob
Massimo Dalla Giustina commented
Hi Gert, with IIS how can we configure it to log the client IP?
The main problem is that very often the webserver logs are analyzed by other software that cannot access to the firewall.....
Stephan Pfeiffer commented
This would be great, because public Webservers (in a public IP-Range), can also trust by asg without reconfigure something like DNS-Zonefile for www IP etc.
This is request was already done: http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/1280617-transparent-reverse-proxy?ref=title
Gert Hansen commented
Hi, do you need this feature purely to put the original source ip in the log file of the webserver? Because if yes, there might be a workaround which we could improve in the future. As far as i know, we already send the original source ip as an attribute in the http header to the webserver. The webserver now needs to be reconfigured to just log this ip adress instead of the proxy ip.
Another question is, can't you just use the proxy server logfile? It should hold all information just as the webserver with the correct source ip adresses.
Kasi Sama commented
For compliance reason we need store remote host IP in our database.