How to fix multiple OIP logging issue
How to fix multiple OIP logging issue?
OIP stands for Originating Client IP Address. Mailboxd assigns OIP value from the HTTP Request header field 'X-Forwarded-For'.
When a client connects to the Zimbra WebClient through an HTTP proxy or a load balancer and once the traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. To see the original IP address of the client, the X-Forwarded-For request header is used.
This is the general format of 'X-Forwarded-For' request header.
X-Forwarded-For: <client>, <proxy1>, <proxy2>
Where the value is a comma-separated list of the IP addresses, the left-most being the original client IP address, and each successive proxy that passed the request adding the IP address where it received the request from.
This means, the right-most IP address is the IP address of the most recent proxy and the left-most IP address is the IP address of the originating client.
Sample log entries:
2020-08-26 10:00:38.074:INFO:oejs.DoSFilter:qtp1684106402-771:http://localhost/service/soap/GetInfoRequest: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy 2020-08-26 00:19:26.942:INFO:oejs.DoSFilter:qtp1874154700-1750041:http://localhost/service/soap/AuthRequest: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy
2019-08-26 06:46:36,965 INFO [qtp1874154700-1886919:http://localhost/service/soap/AuthRequest] [firstname.lastname@example.org;oip=xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy;ua=zclient/8.8.15_GA_1728;soapId=39504524;] soap - AuthRequest elapsed=1 2020-08-26 07:27:53,459 INFO [qtp1874154700-1900882:http://localhost/service/soap/AutoCompleteRequest] [email@example.com;mid=28;oip=xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy;ua=zclient/8.8.15_GA_1728;soapId=39505079;] gal - autocomplete: overall=296ms, ranking=227ms, folder=2ms, gal=67ms
2020-08-28 00:09:41.837:INFO:oejs.DoSFilter:qtp2036958521-120378:https:https://mail.zimbrasupportlab.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=john.doe%40zimbrasupportlab.com&DeviceId=C89158839E9&DeviceType=iPhone: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy 2020-08-28 00:09:53.907:INFO:oejs.DoSFilter:qtp2036958521-120413:https:https://mail.zimbrasupportlab.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=john.doe%40zimbrasupportlab.com&DeviceId=C89158839E9&DeviceType=iPhone: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy
xxx.xxx.xxx.xxx -> IP address of the Originating client from where the request originated or was initiated.
yyy.yyy.yyy.yyy -> First Proxy server which will send request to another proxy server or the destination server.
If there are multiple proxy servers then the left most will always be the IP address of the Originating client.
If there is only one proxy server which forwards request directly to destination server then oip will have only one entry (i.e. for Originating client IP).
Modify Nginx Templates files for correct OIP logging
[As ROOT user]
1) Take backup of existing Nginx conf directory.
cp -pvr /opt/zimbra/conf/nginx /opt/zimbra/conf/nginx-`date +"%d-%m-%Y"`
$http_x_forwarded_for in the all template files under /opt/zimbra/conf/nginx/templates.
sed -i 's/$proxy_add_x_forwarded_for/$http_x_forwarded_for/g' /opt/zimbra/conf/nginx/templates/*
3) Restart proxy service.
Note: If multiple zimbra-proxy servers present in the setup then make these changes on all zimbra-proxies.
|Submitted by: Heera Singh Koranga|