roundcube: log actual client ip by using apache2 remoteip

Roundcube webmail is accessed through the nginx reverse proxy in the
front container. Each access logline logged by apache2 in the roundcube
container did not contain the actual client IP address, but the IP
address of the front container, for example:

> 192.168.203.3 - - [28/May/2022:12:33:52 +0000] "POST /?_task=mail&_action=refresh HTTP/1.1" 200 677 "https://[REDACTED]/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
  ^
  IP address of the front container

By enabling the apache2 remoteip module and configuring it to get the
actual client IP address from the X-Forwarded-For header, it logs the
correct client IP address to the access log.
master
Pim van den Berg 2 years ago
parent 92a8da499a
commit e8b7d6afed

@ -0,0 +1 @@
roundcube: log actual client ip by using apache2 remoteip

@ -21,6 +21,7 @@ RUN set -eu \
&& pip3 install socrate \ && pip3 install socrate \
&& echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \ && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \
&& echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \ && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \
&& sed -i 's,LogFormat "%h \(.*\) combined,Logformat "%a \1 combined,' /etc/apache2/apache2.conf \
&& sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf \ && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf \
\ \
&& mark="$(apt-mark showmanual)" \ && mark="$(apt-mark showmanual)" \
@ -56,7 +57,7 @@ RUN set -eu \
&& chown -R root:root . \ && chown -R root:root . \
&& chown www-data:www-data logs temp \ && chown www-data:www-data logs temp \
&& chmod -R a+rX . \ && chmod -R a+rX . \
&& a2enmod rewrite deflate expires headers \ && a2enmod rewrite deflate expires headers remoteip \
&& echo date.timezone=${TZ} > /usr/local/etc/php/conf.d/timezone.ini \ && echo date.timezone=${TZ} > /usr/local/etc/php/conf.d/timezone.ini \
&& rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query} && rm -rf plugins/{autologon,example_addressbook,http_authentication,krb_authentication,new_user_identity,password,redundant_attachments,squirrelmail_usercopy,userinfo,virtuser_file,virtuser_query}
@ -65,6 +66,7 @@ RUN set -eu \
COPY mailu.php /var/www/html/plugins/mailu/mailu.php COPY mailu.php /var/www/html/plugins/mailu/mailu.php
COPY php.ini / COPY php.ini /
COPY config.inc.php / COPY config.inc.php /
COPY remoteip.conf /
COPY start.py / COPY start.py /
COPY config.inc.carddav.php /var/www/html/plugins/carddav/config.inc.php COPY config.inc.carddav.php /var/www/html/plugins/carddav/config.inc.php

@ -0,0 +1,2 @@
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy {{ FRONT_ADDRESS }}

@ -72,6 +72,10 @@ conf.jinja("/config.inc.php", context, "/var/www/html/config/config.inc.php")
# create dirs # create dirs
os.system("mkdir -p /data/gpg") os.system("mkdir -p /data/gpg")
# configure apache2
conf.jinja("/remoteip.conf", context, "/etc/apache2/conf-available/remoteip.conf")
os.system("a2enconf remoteip")
print("Initializing database") print("Initializing database")
try: try:
result = subprocess.check_output(["/var/www/html/bin/initdb.sh", "--dir", "/var/www/html/SQL"], result = subprocess.check_output(["/var/www/html/bin/initdb.sh", "--dir", "/var/www/html/SQL"],

Loading…
Cancel
Save