NethServer and Proxy Server

Hi all!

I have a NethServer 7.2009 installed on a VM at home used as a mail server for my home lab. In order to use it remotely I configured a virtual host on another machine through apache that redirects all traffic to
Now come some security concerns:

  1. Because of the apache proxy, every failed login attempt in the /var/log/ contains logged using the internal proxy IP, instead of the real client IP. I red a lot of documentation talking about using X-Forwarded-For headers and mod_remoteip , but all this kind of stuff should be configured on the nethserver’s roundcube configuration file that is not editable due to overwrites after eventual updates, so I really don’t know where to put my hands on.

  2. Also, if I have success in logging the correct IPs, I’d like to mount the /var/log/ folder on the apache proxyserver and configure fail2ban in order to block repeatedly wrong login attempts. Now, I cannot do it because every failed attempt is logged as my proxy IP, so obviously it cannot ban itself.

Do you have any idea? I tried to find someone with my same problem but didn’t find anything. Also, I tried to ask chatgpt hoping it was “better than me” in searching online, but without any luck.

Thanks in advance for every reply to my doubts.

All needed changes are on the target server, not on the proxy server.

Create the file /etc/httpd/conf.d/remoteip.conf with following content ( is the proxy server IP):

RemoteIPHeader X-Forwarded-For
# For internal IPs
# For external IPs

Edit /etc/httpd/conf/httpd.conf at line 196. I commented out the original line and copied it and changed %h to %a:

#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Restart httpd to apply changes:

systemctl restart httpd

It worked in my test but I don’t know if it causes other issues.



On the proxy server you should already have the correct client ip in /var/log/httpd/access_log.



thank you very much for your help! I tried your edits and now everything works smoothly, logging the real client IP instead of the Proxy IP.

I really appreciate it.

About the logs, yes. The proxy already has the correct IP in logs. Anyway, in the proxy logs there are no infos about if a login attempt is successful or not, it just logs the connection.

1 Like

Just for future references, I solved my second question using rsyslog between mailserver and proxy server. I configured the /etc/rsyslog.conf file (on the client, in my case the mailserver) as follow:


#### MODULES ####
#Added imfile module
$ModLoad imfile


#### RULES ####
#Added a set of rules for my 2 web clients webtop and roundcube
$InputFileName /var/log/webtop/webtop_auth.log
$InputFileTag webtop-info
$InputFileStateFile stat-webtop-info
$InputFileSeverity info
$InputFileFacility local0

$InputFileName /var/log/roundcubemail/errors.log
$InputFileTag roundcube-info
$InputFileStateFile stat-roundcube-info
$InputFileSeverity info
$InputFileFacility local1


#Uncommented and updated the last line

After that, I restarted rsyslog:

systemctl restart rsyslog

I enabled rsyslog on the proxyserver too in order to listen for logs on port 514 through /etc/rsyslog.conf (on the proxy server):


#Uncomment the following to enable TCP listening on 514
input(type="imtcp" port="514")


#The following template specifies where the logs will be written by rsyslog
$template remotelogs, "/var/log/remote/%hostname%.log"
*.* ?remotelogs

Remember that the owner of the folder MUST be syslog:adm to avoid permission issues, so change it accordingly.

Thanks again for your help

1 Like