I have a NethServer 7.2009 installed on a VM at home used as a mail server for my home lab. In order to use it remotely I configured a virtual host on another machine through apache that redirects all traffic to mail.mydomain.com.
Now come some security concerns:
Because of the apache proxy, every failed login attempt in the /var/log/ contains logged using the internal proxy IP, instead of the real client IP. I red a lot of documentation talking about using X-Forwarded-For headers and mod_remoteip , but all this kind of stuff should be configured on the nethserver’s roundcube configuration file that is not editable due to overwrites after eventual updates, so I really don’t know where to put my hands on.
Also, if I have success in logging the correct IPs, I’d like to mount the /var/log/ folder on the apache proxyserver and configure fail2ban in order to block repeatedly wrong login attempts. Now, I cannot do it because every failed attempt is logged as my proxy IP, so obviously it cannot ban itself.
Do you have any idea? I tried to find someone with my same problem but didn’t find anything. Also, I tried to ask chatgpt hoping it was “better than me” in searching online, but without any luck.
thank you very much for your help! I tried your edits and now everything works smoothly, logging the real client IP instead of the Proxy IP.
I really appreciate it.
About the logs, yes. The proxy already has the correct IP in logs. Anyway, in the proxy logs there are no infos about if a login attempt is successful or not, it just logs the connection.
Just for future references, I solved my second question using rsyslog between mailserver and proxy server. I configured the /etc/rsyslog.conf file (on the client, in my case the mailserver) as follow:
[...]
#### MODULES ####
#Added imfile module
$ModLoad imfile
[...]
#### RULES ####
#Added a set of rules for my 2 web clients webtop and roundcube
#WebTop
$InputFileName /var/log/webtop/webtop_auth.log
$InputFileTag webtop-info
$InputFileStateFile stat-webtop-info
$InputFileSeverity info
$InputFileFacility local0
$InputRunFileMonitor
#RoundCube
$InputFileName /var/log/roundcubemail/errors.log
$InputFileTag roundcube-info
$InputFileStateFile stat-roundcube-info
$InputFileSeverity info
$InputFileFacility local1
$InputRunFileMonitor
[...]
#Uncommented and updated the last line
*.* @@YOURIPADDRESSHERE:514
After that, I restarted rsyslog:
systemctl restart rsyslog
I enabled rsyslog on the proxyserver too in order to listen for logs on port 514 through /etc/rsyslog.conf (on the proxy server):
[...]
#Uncomment the following to enable TCP listening on 514
module(load="imtcp")
input(type="imtcp" port="514")
[...]
#The following template specifies where the logs will be written by rsyslog
$template remotelogs, "/var/log/remote/%hostname%.log"
*.* ?remotelogs
Remember that the owner of the folder MUST be syslog:adm to avoid permission issues, so change it accordingly.