How to fix multiple OIP logging issue

Revision as of 06:57, 23 September 2020 by Ashah (talk | contribs) (Overview)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

How to fix multiple OIP logging issue?


   KB 24155        Last updated on 2020-09-23  




0.00
(0 votes)

Overview

OIP stands for Originating Client IP Address. Mailboxd assigns OIP value from the HTTP Request header field 'X-Forwarded-For'.

When a client connects to the Zimbra WebClient through an HTTP proxy or a load balancer and once the traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. To see the original IP address of the client, the X-Forwarded-For request header is used.


This is the general format of 'X-Forwarded-For' request header.

X-Forwarded-For: <client>, <proxy1>, <proxy2> 

Where the value is a comma-separated list of the IP addresses, the left-most being the original client IP address, and each successive proxy that passed the request adding the IP address where it received the request from.
This means, the right-most IP address is the IP address of the most recent proxy and the left-most IP address is the IP address of the originating client.


Sample log entries:

2020-08-26 10:00:38.074:INFO:oejs.DoSFilter:qtp1684106402-771:http://localhost/service/soap/GetInfoRequest: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy 
2020-08-26 00:19:26.942:INFO:oejs.DoSFilter:qtp1874154700-1750041:http://localhost/service/soap/AuthRequest: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy 
2019-08-26 06:46:36,965 INFO  [qtp1874154700-1886919:http://localhost/service/soap/AuthRequest] [name=john.doe@zimbrasupportlab.com.com;oip=xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy;ua=zclient/8.8.15_GA_1728;soapId=39504524;] soap - AuthRequest elapsed=1
2020-08-26 07:27:53,459 INFO  [qtp1874154700-1900882:http://localhost/service/soap/AutoCompleteRequest] [name=john.doe@zimbrasupportlab.com.com;mid=28;oip=xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy;ua=zclient/8.8.15_GA_1728;soapId=39505079;] gal - autocomplete: overall=296ms, ranking=227ms, folder=2ms, gal=67ms
2020-08-28 00:09:41.837:INFO:oejs.DoSFilter:qtp2036958521-120378:https:https://mail.zimbrasupportlab.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=john.doe%40zimbrasupportlab.com&DeviceId=C89158839E9&DeviceType=iPhone: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy
2020-08-28 00:09:53.907:INFO:oejs.DoSFilter:qtp2036958521-120413:https:https://mail.zimbrasupportlab.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=john.doe%40zimbrasupportlab.com&DeviceId=C89158839E9&DeviceType=iPhone: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy

xxx.xxx.xxx.xxx -> IP address of the Originating client from where the request originated or was initiated.
yyy.yyy.yyy.yyy -> First Proxy server which will send request to another proxy server or the destination server.

If there are multiple proxy servers then the left most will always be the IP address of the Originating client.
If there is only one proxy server which forwards request directly to destination server then oip will have only one entry (i.e. for Originating client IP).


Modify Nginx Templates files for correct OIP logging

[As ROOT user]
1) Take backup of existing Nginx conf directory.

cp -pvr /opt/zimbra/conf/nginx /opt/zimbra/conf/nginx-`date +"%d-%m-%Y"` 


2) Replace $proxy_add_x_forwarded_for with $http_x_forwarded_for in the all template files under /opt/zimbra/conf/nginx/templates.

sed -i 's/$proxy_add_x_forwarded_for/$http_x_forwarded_for/g' /opt/zimbra/conf/nginx/templates/*


3) Restart proxy service.

zmproxyctl restart

Note: If multiple zimbra-proxy servers present in the setup then make these changes on all zimbra-proxies.


Submitted by: Heera Singh Koranga
Verified Against: ZCS 9.0,8.8 Date Created: 2020-09-20
Article ID: https://wiki.zimbra.com/index.php?title=How_to_fix_multiple_OIP_logging_issue Date Modified: 2020-09-23



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search