Preserving the Client IP address to Apache servers and Applications

When ZXTM load-balances a connection to an Apache server or Apache-based application, the connection appears to originate from the ZXTM machine. This can be a problem if the server wishes to perform access control based on the client's IP address, or if it wants to log the true source address of the request.

Zeus' ZXTM applicances provide an IP Transparency feature that preserves the client's IP address, and this is also available with the ZXTM software, on appropriate Linux kernels.

As an alternative, Zeus provide several modules for common server applications to work round this issue. This FAQ describes the Apache module.

ZXTM automatically inserts a special 'X-Cluster-Client-Ip' header into each request, which identifies the true source address of the request. Zeus' Apache module inspects this header and corrects Apache's calculation of the source address. This change is transparent to Apache, and any applications running on or behind Apache.

Obtaining and Installing the Module

Download the source file for the module:

mod_zeus.c (Apache 1.x)
mod_zeus.c (Apache 2.x)

Make sure that you download the correct source file for your version of Apache.

Compile and install it as follows:

$ apxs -c mod_zeus.c
 
  # Do the following step if apxs uses libtool and builds the .so
  # in .libs/
$ cp .libs/mod_zeus.so mod_zeus.so
 
  # You will probably need to run this installation step as root:
$ apxs  -i -a -n 'zeus' mod_zeus.so

Configuring the Module

The installation step should copy the mod_zeus.so module, and add the following to your httpd.conf file:

LoadModule zeus_module        modules/mod_zeus.so

Important Note: If you use a ClearModuleList directive in your Apache httpd.conf file, you will also need to add the hooks for Zeus back in along with the other modules. This can be achieved for the Zeus module by adding the following line:

AddModule mod_zeus.c

Add the following two lines to your httpd.conf file:

ZeusEnable on
ZeusLoadBalancerIp 10.100.1.68 10.100.1.69

The ZeusLoadBalancerIp configuration directive specifies the back-end addresses of the ZXTM machines. The Apache module will only trust the 'X-Cluster-Client-Ip' header in connections which originate from these IP addresses. This means that remote users cannot spoof their source addresses by inserting a false header and accessing the Apache servers directly.

Restart your Apache servers, and monitor your servers' error logs. If you have misconfigured the ZeusLoadBalancerIp value, you will see messages like:

Ignoring X-Cluster-Client-Ip '204.17.28.130' from non-Load Balancer machine '10.100.1.31'

The Result

Apache, and applications running on Apache will see the correct source IP address for each request. The access log module will log the correct address when you use %a or %h in your log format string.

The Apache module will add an environment variable named 'ZEUS_LOAD_BALANCER_IP', which you can inspect in your application, or log using %{ZEUS_LOAD_BALANCER_IP}e. This variable identifies the back-end IP address of the ZXTM machine that submitted the request.

Licensing

Zeus provide this module without warranty or any guarantees of fitness for purpose. This module is not covered under Zeus' standard terms of support, but Zeus welcomes suggestions for improvement and will make reasonable efforts to support customers who use it.

You are free to distribute this module and create derivative works from it, provided that you include the following attribution statement in the module and any supporting documentation:

 * Copyright (c) 2005 Zeus Technology
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of Zeus Technology nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.

Owen Garrett [Zeus Dev Team] 02 December 2005

5 comments

Comments:

This public messageboard is not a forum for technical support. To report technical support problems, please contact our dedicated Support team using the instructions at the bottom of this page.

Comment from: david boehme [Visitor] · http://www.sherdog.com

How about IIS. We experience the same issue described above but on IIS6.0 where our logfiles show the load balancer IP address instead the client's IP address. We are trying to install an ISAPI Filer as documented at here: http://blogs.msdn.com/david.wang/archive/2005/09/28/HOWTO_ISAPI_Filter_which_Logs_original_Client_IP_for_Load_Balanced_IIS_Servers.aspx

but the logfiles still show the load balancer's IP. Any suggestions that can point us in the right direction would be greatly appreciated.

04 August 2006 @ 19:53

Comment from: Owen Garrett [Zeus Dev Team]

David,

Take a look at IP Transparency with the ZXTM software, where we describe how to get IP Transparency without the webserver-specific modules described above.

06 October 2006 @ 10:00

Comment from: Dick Davies [Visitor] · http://number9.hellooperator.net

That's great.

Just a slight security concern: does ZXTM ensure that if the client sets its own 'X-Cluster-Client-Ip' header, it's stripped from the request before being sent to apache?

19 January 2009 @ 09:41

Comment from: Crispin Flowerday [Zeus Dev Team]

Dick,

ZXTM will always overwrite the X-Cluster-Client-Ip header (assuming it is configured to put the header in). In addition, the module is configured to only allow these headers from known IP addresses (e.g. ZXTM's IP addresses).

19 January 2009 @ 11:36

Comment from: Ivo Teel [Visitor]

I'm currently trying to make ZXTM overwrite the X-Cluster-Client-IP header if the request originates from one of my load balancers.

The following code works fine:

$ip = request.getRemoteIP();
if(string.ipmaskmatch($ip, "XX.XX.XX.XX/24" ) ) {
$head = http.getHeader("X-Fowarded-For");
http.setHeader("X-Cluster-Client-IP", $head);
}

I've verified this by looping through http.getResponseHeaderNames(), it sets the X-Cluster-Client-IP header to what i want.

Unfortunately, ZXTM still overwrites X-Cluster-Client-IP after processing all ZXTM rules. Even if I overwrite the requesting IP with request.setRemoteIP().

Is there some undocumented option to not overwrite in certain cases?

18 February 2009 @ 12:14

Leave a comment ...

Recently...

Other Resources

About this site. The Zeus KnowledgeHub service is provided without warranty, and articles and comments may not reflect the views of Zeus Technology. For technical support queries, please contact Zeus Technical Support. Disclaimer and Privacy statement.