roundcube: log actual client ip by using apache2 remoteip

Roundcube webmail is accessed through the nginx reverse proxy in the front container. Each access logline logged by apache2 in the roundcube container did not contain the actual client IP address, but the IP address of the front container, for example: > 192.168.203.3 - - [28/May/2022:12:33:52 +0000] "POST /?_task=mail&_action=refresh HTTP/1.1" 200 677 "https://[REDACTED]/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0" ^ IP address of the front container By enabling the apache2 remoteip module and configuring it to get the actual client IP address from the X-Forwarded-For header, it logs the correct client IP address to the access log.
2 years ago · e8b7d6afed
parent 92a8da499a
commit e8b7d6afed
4 changed files with 10 additions and 1 deletions
--- a/towncrier/newsfragments/2360.bugfix
+++ b/towncrier/newsfragments/2360.bugfix
@ -0,0 +1 @@
+roundcube: log actual client ip by using apache2 remoteip
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@ -21,6 +21,7 @@ RUN set -eu \
 && pip3 install socrate \
 && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \
 && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \
+ && sed -i 's,LogFormat "%h \(.*\) combined,Logformat "%a \1 combined,' /etc/apache2/apache2.conf \
 && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf \
 \
 && mark="$(apt-mark showmanual)" \
@ -56,7 +57,7 @@ RUN set -eu \
 && chown -R root:root . \
 && chown www-data:www-data logs temp \
 && chmod -R a+rX . \
- && a2enmod rewrite deflate expires headers \
+ && a2enmod rewrite deflate expires headers remoteip \
 && echo date.timezone=${TZ} > /usr/local/etc/php/conf.d/timezone.ini \
 && rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query}

@ -65,6 +66,7 @@ RUN set -eu \
 COPY mailu.php /var/www/html/plugins/mailu/mailu.php
 COPY php.ini /
 COPY config.inc.php /
+COPY remoteip.conf /
 COPY start.py /
 COPY config.inc.carddav.php /var/www/html/plugins/carddav/config.inc.php

--- a/webmails/roundcube/remoteip.conf
+++ b/webmails/roundcube/remoteip.conf
@ -0,0 +1,2 @@
+RemoteIPHeader X-Forwarded-For
+RemoteIPTrustedProxy {{ FRONT_ADDRESS }}
--- a/webmails/roundcube/start.py
+++ b/webmails/roundcube/start.py
@ -72,6 +72,10 @@ conf.jinja("/config.inc.php", context, "/var/www/html/config/config.inc.php")
 # create dirs
 os.system("mkdir -p /data/gpg")

+# configure apache2
+conf.jinja("/remoteip.conf", context, "/etc/apache2/conf-available/remoteip.conf")
+os.system("a2enconf remoteip")
+
 print("Initializing database")
 try:
    result = subprocess.check_output(["/var/www/html/bin/initdb.sh", "--dir", "/var/www/html/SQL"],
				`@ -0,0 +1 @@`
				`roundcube: log actual client ip by using apache2 remoteip`