NethServer and Proxy Server

fdm91 · May 25, 2023, 8:34pm

Hi all!

I have a NethServer 7.2009 installed on a VM at home used as a mail server for my home lab. In order to use it remotely I configured a virtual host on another machine through apache that redirects all traffic to mail.mydomain.com.
Now come some security concerns:

Because of the apache proxy, every failed login attempt in the /var/log/ contains logged using the internal proxy IP, instead of the real client IP. I red a lot of documentation talking about using X-Forwarded-For headers and mod_remoteip , but all this kind of stuff should be configured on the nethserver’s roundcube configuration file that is not editable due to overwrites after eventual updates, so I really don’t know where to put my hands on.
Also, if I have success in logging the correct IPs, I’d like to mount the /var/log/ folder on the apache proxyserver and configure fail2ban in order to block repeatedly wrong login attempts. Now, I cannot do it because every failed attempt is logged as my proxy IP, so obviously it cannot ban itself.

Do you have any idea? I tried to find someone with my same problem but didn’t find anything. Also, I tried to ask chatgpt hoping it was “better than me” in searching online, but without any luck.

Thanks in advance for every reply to my doubts.

mrmarkuz · May 25, 2023, 10:17pm

All needed changes are on the target server, not on the proxy server.

Create the file /etc/httpd/conf.d/remoteip.conf with following content (192.168.1.1 is the proxy server IP):

RemoteIPHeader X-Forwarded-For
# For internal IPs
RemoteIPInternalProxy 192.168.1.1
# For external IPs
RemoteIPTrustedProxy 192.168.1.1

Edit /etc/httpd/conf/httpd.conf at line 196. I commented out the original line and copied it and changed %h to %a:

#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Restart httpd to apply changes:

systemctl restart httpd

It worked in my test but I don’t know if it causes other issues.

Source:

EDIT:

On the proxy server you should already have the correct client ip in /var/log/httpd/access_log.

fdm91 · May 26, 2023, 12:08pm

Hi,

thank you very much for your help! I tried your edits and now everything works smoothly, logging the real client IP instead of the Proxy IP.

I really appreciate it.

About the logs, yes. The proxy already has the correct IP in logs. Anyway, in the proxy logs there are no infos about if a login attempt is successful or not, it just logs the connection.

fdm91 · May 26, 2023, 8:41pm

Just for future references, I solved my second question using rsyslog between mailserver and proxy server. I configured the /etc/rsyslog.conf file (on the client, in my case the mailserver) as follow:

[...]

#### MODULES ####
#Added imfile module
$ModLoad imfile

[...]

#### RULES ####
#Added a set of rules for my 2 web clients webtop and roundcube
#WebTop
$InputFileName /var/log/webtop/webtop_auth.log
$InputFileTag webtop-info
$InputFileStateFile stat-webtop-info
$InputFileSeverity info
$InputFileFacility local0
$InputRunFileMonitor

#RoundCube
$InputFileName /var/log/roundcubemail/errors.log
$InputFileTag roundcube-info
$InputFileStateFile stat-roundcube-info
$InputFileSeverity info
$InputFileFacility local1
$InputRunFileMonitor

[...]

#Uncommented and updated the last line
*.* @@YOURIPADDRESSHERE:514

After that, I restarted rsyslog:

systemctl restart rsyslog

I enabled rsyslog on the proxyserver too in order to listen for logs on port 514 through /etc/rsyslog.conf (on the proxy server):

[...]

#Uncomment the following to enable TCP listening on 514
module(load="imtcp")
input(type="imtcp" port="514")

[...]

#The following template specifies where the logs will be written by rsyslog
$template remotelogs, "/var/log/remote/%hostname%.log"
*.* ?remotelogs

Remember that the owner of the folder MUST be syslog:adm to avoid permission issues, so change it accordingly.

Thanks again for your help