Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Web Server Protection: Transparent reverse proxy

Please provide the option to use reverse proxy also with transparent mode. This way permits to have the real remote host IP traced on the web server log files instead of the IP of the firewall. Now without transparent mode, every web analyzer software is not able to give real traffic reports...

88 votes
Sign in
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Massimo Dalla GiustinaMassimo Dalla Giustina shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    Timm SchneiderTimm Schneider shared a merged idea: Transparent Web Application Security  ·   · 
    Jon EtkinsJon Etkins shared a merged idea: Provide the ability for the Web Application Firewall to operate transparently  ·   · 


    Sign in
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      • arsars commented  ·   ·  Flag as inappropriate

        this is needed if you have a ressource with basic authentication in a dmz proxied by the waf and you want to allow internal users to access this ressource without authentication while they use the asg as forward proxy. both external and internal source ips are are the same (dmz interface of the asg) so you cannot use following apache config:

        <Directory "/">
        Order deny,allow
        Deny from all
        AuthType basic
        Require valid-user
        Allow from <INTERNAL NETWORK>
        Satisfy Any

      • Bastien BobeBastien Bobe commented  ·   ·  Flag as inappropriate

        I have activated the reverse proxy on my ASG and I have configured Apache to get the "forwarded-IP" in the log and in PHP by using RPAF. Just try to do that, it works perfectly on my 3 apache servers (debian and suse).

      • Timm SchneiderTimm Schneider commented  ·   ·  Flag as inappropriate

        Hi Bob,
        no i didn´t asked at the BB, but the Astaro Staff told me, the WAF works only with NAT because the destination IP has to be the one from the ASG.
        You tried it without NAT and it works?


      • Massimo Dalla GiustinaMassimo Dalla Giustina commented  ·   ·  Flag as inappropriate

        Hi Gert, with IIS how can we configure it to log the client IP?
        The main problem is that very often the webserver logs are analyzed by other software that cannot access to the firewall.....

      • Stephan PfeifferStephan Pfeiffer commented  ·   ·  Flag as inappropriate

        This would be great, because public Webservers (in a public IP-Range), can also trust by asg without reconfigure something like DNS-Zonefile for www IP etc.

      • Gert HansenGert Hansen commented  ·   ·  Flag as inappropriate

        Hi, do you need this feature purely to put the original source ip in the log file of the webserver? Because if yes, there might be a workaround which we could improve in the future. As far as i know, we already send the original source ip as an attribute in the http header to the webserver. The webserver now needs to be reconfigured to just log this ip adress instead of the proxy ip.
        Another question is, can't you just use the proxy server logfile? It should hold all information just as the webserver with the correct source ip adresses.
        thx Gert

      Feedback and Knowledge Base