forwarding Source IP as client IP

[Rdago]

When using spoa on Haproxy the modproxy logs keep showing that the connected client is the haproxy itself (which in my case is 127.0.0.1, as I run the agent on the server in a docker) and modproxy logs this IP.

Is there a way to include the original source IP which connected to the HAproxy beforehand and pass it to modsecurity - in a forwarded for header for example?

The problem is that some features like geoip or ip reputation do not work on this scenario. Moreover when using siem-solution for logging the modsecurity logs and threats the connecting IP is always localhost.

Im looking forward to receive some tipps or even a solution how to handle this.

Thanks in advance.

[jessequinn]

yah just ran into this now. basically white listing cannot work???? @Rdago did you find a solution?

[jessequinn]

@Rdago i see your forked the repo and made some changes. But did you fix the forwardfor? I see something about UniqueID.

[amitnarwal-sec]

@jessequinn I am also having the same issue, have you got any solution? how to get client-IP back on Modsecurity.

[mario-almeida]

I am also having the same issue, is there any solution for this?

[evasokolova1f]

I also have the same problem. Any solution?

[CorentinS6]

same problem here.

the trick i use to match requests in haproxy and modsec is the uniqid header.

in /etc/haproxy/haproxy.cfg, add this in frontend section :

	# Add unique-id Header
	unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
	unique-id-header X-Unique-ID

and modify this in default section :

	#option	httplog
	log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"

Regards

[amitnarwal-sec]

Thank you @CorentinS6 It solved the problem.

[styelz]

Hi, this worked for me

unique-id-format "%{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid client-ip:%[src]"