From e8b7d6afed0038b984d832a2e14ae7899842a8ec Mon Sep 17 00:00:00 2001 From: Pim van den Berg Date: Thu, 26 May 2022 20:05:45 +0200 Subject: [PATCH 1/2] roundcube: log actual client ip by using apache2 remoteip Roundcube webmail is accessed through the nginx reverse proxy in the front container. Each access logline logged by apache2 in the roundcube container did not contain the actual client IP address, but the IP address of the front container, for example: > 192.168.203.3 - - [28/May/2022:12:33:52 +0000] "POST /?_task=mail&_action=refresh HTTP/1.1" 200 677 "https://[REDACTED]/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0" ^ IP address of the front container By enabling the apache2 remoteip module and configuring it to get the actual client IP address from the X-Forwarded-For header, it logs the correct client IP address to the access log. --- towncrier/newsfragments/2360.bugfix | 1 + webmails/roundcube/Dockerfile | 4 +++- webmails/roundcube/remoteip.conf | 2 ++ webmails/roundcube/start.py | 4 ++++ 4 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 towncrier/newsfragments/2360.bugfix create mode 100644 webmails/roundcube/remoteip.conf diff --git a/towncrier/newsfragments/2360.bugfix b/towncrier/newsfragments/2360.bugfix new file mode 100644 index 00000000..41720908 --- /dev/null +++ b/towncrier/newsfragments/2360.bugfix @@ -0,0 +1 @@ +roundcube: log actual client ip by using apache2 remoteip diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile index 3fbe0794..916cd0e5 100644 --- a/webmails/roundcube/Dockerfile +++ b/webmails/roundcube/Dockerfile @@ -21,6 +21,7 @@ RUN set -eu \ && pip3 install socrate \ && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \ && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \ + && sed -i 's,LogFormat "%h \(.*\) combined,Logformat "%a \1 combined,' /etc/apache2/apache2.conf \ && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf \ \ && mark="$(apt-mark showmanual)" \ @@ -56,7 +57,7 @@ RUN set -eu \ && chown -R root:root . \ && chown www-data:www-data logs temp \ && chmod -R a+rX . \ - && a2enmod rewrite deflate expires headers \ + && a2enmod rewrite deflate expires headers remoteip \ && echo date.timezone=${TZ} > /usr/local/etc/php/conf.d/timezone.ini \ && rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query} @@ -65,6 +66,7 @@ RUN set -eu \ COPY mailu.php /var/www/html/plugins/mailu/mailu.php COPY php.ini / COPY config.inc.php / +COPY remoteip.conf / COPY start.py / COPY config.inc.carddav.php /var/www/html/plugins/carddav/config.inc.php diff --git a/webmails/roundcube/remoteip.conf b/webmails/roundcube/remoteip.conf new file mode 100644 index 00000000..52895749 --- /dev/null +++ b/webmails/roundcube/remoteip.conf @@ -0,0 +1,2 @@ +RemoteIPHeader X-Forwarded-For +RemoteIPTrustedProxy {{ FRONT_ADDRESS }} diff --git a/webmails/roundcube/start.py b/webmails/roundcube/start.py index 2c66bf19..18196979 100755 --- a/webmails/roundcube/start.py +++ b/webmails/roundcube/start.py @@ -72,6 +72,10 @@ conf.jinja("/config.inc.php", context, "/var/www/html/config/config.inc.php") # create dirs os.system("mkdir -p /data/gpg") +# configure apache2 +conf.jinja("/remoteip.conf", context, "/etc/apache2/conf-available/remoteip.conf") +os.system("a2enconf remoteip") + print("Initializing database") try: result = subprocess.check_output(["/var/www/html/bin/initdb.sh", "--dir", "/var/www/html/SQL"], From 6f884c6c93e614210569aa2b26aa7879e7f096b2 Mon Sep 17 00:00:00 2001 From: Pim van den Berg Date: Wed, 15 Jun 2022 14:30:26 +0200 Subject: [PATCH 2/2] roundcube: disable access log As per discussion in #2360: The front container (nginx reverse proxy) is already logging all requests, disable the access logs for apache2 in the roundcube container completely. --- towncrier/newsfragments/2360.bugfix | 1 - webmails/roundcube/Dockerfile | 6 ++---- webmails/roundcube/remoteip.conf | 2 -- webmails/roundcube/start.py | 5 ++--- 4 files changed, 4 insertions(+), 10 deletions(-) delete mode 100644 towncrier/newsfragments/2360.bugfix delete mode 100644 webmails/roundcube/remoteip.conf diff --git a/towncrier/newsfragments/2360.bugfix b/towncrier/newsfragments/2360.bugfix deleted file mode 100644 index 41720908..00000000 --- a/towncrier/newsfragments/2360.bugfix +++ /dev/null @@ -1 +0,0 @@ -roundcube: log actual client ip by using apache2 remoteip diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile index 916cd0e5..04d92d3a 100644 --- a/webmails/roundcube/Dockerfile +++ b/webmails/roundcube/Dockerfile @@ -21,8 +21,7 @@ RUN set -eu \ && pip3 install socrate \ && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \ && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \ - && sed -i 's,LogFormat "%h \(.*\) combined,Logformat "%a \1 combined,' /etc/apache2/apache2.conf \ - && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf \ + && sed -i '/CustomLog.*combined$/d' /etc/apache2/sites-available/000-default.conf \ \ && mark="$(apt-mark showmanual)" \ && apt install -y --no-install-recommends \ @@ -57,7 +56,7 @@ RUN set -eu \ && chown -R root:root . \ && chown www-data:www-data logs temp \ && chmod -R a+rX . \ - && a2enmod rewrite deflate expires headers remoteip \ + && a2enmod rewrite deflate expires headers \ && echo date.timezone=${TZ} > /usr/local/etc/php/conf.d/timezone.ini \ && rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query} @@ -66,7 +65,6 @@ RUN set -eu \ COPY mailu.php /var/www/html/plugins/mailu/mailu.php COPY php.ini / COPY config.inc.php / -COPY remoteip.conf / COPY start.py / COPY config.inc.carddav.php /var/www/html/plugins/carddav/config.inc.php diff --git a/webmails/roundcube/remoteip.conf b/webmails/roundcube/remoteip.conf deleted file mode 100644 index 52895749..00000000 --- a/webmails/roundcube/remoteip.conf +++ /dev/null @@ -1,2 +0,0 @@ -RemoteIPHeader X-Forwarded-For -RemoteIPTrustedProxy {{ FRONT_ADDRESS }} diff --git a/webmails/roundcube/start.py b/webmails/roundcube/start.py index 18196979..bea31f4b 100755 --- a/webmails/roundcube/start.py +++ b/webmails/roundcube/start.py @@ -72,9 +72,8 @@ conf.jinja("/config.inc.php", context, "/var/www/html/config/config.inc.php") # create dirs os.system("mkdir -p /data/gpg") -# configure apache2 -conf.jinja("/remoteip.conf", context, "/etc/apache2/conf-available/remoteip.conf") -os.system("a2enconf remoteip") +# disable access log for VirtualHosts that don't define their own logfile +os.system("a2disconf other-vhosts-access-log") print("Initializing database") try: