How to fix multiple OIP logging issue: Difference between revisions
(Created page with "{{BC|Community Sandbox}} __FORCETOC__ <div class="col-md-12 ibox-content"> ==How to fix multiple OIP logging issue== <hr> {{KB|{{WIP}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}} <hr> ==Ove...") |
|||
(One intermediate revision by the same user not shown) | |||
Line 2: | Line 2: | ||
__FORCETOC__ | __FORCETOC__ | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
==How to fix multiple OIP logging issue== | ==How to fix multiple OIP logging issue?== | ||
<hr> | <hr> | ||
{{KB|{{WIP}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}} | {{KB|{{WIP}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}} | ||
<hr> | <hr> | ||
==Overview== | ==Overview== | ||
Line 12: | Line 11: | ||
OIP stands for Originating Client IP Address. Mailboxd assigns OIP value from the HTTP Request header field 'X-Forwarded-For'. | OIP stands for Originating Client IP Address. Mailboxd assigns OIP value from the HTTP Request header field 'X-Forwarded-For'. | ||
When | When a client connects to the Zimbra WebClient through an HTTP proxy or a load balancer and once the traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. To see the original IP address of the client, the X-Forwarded-For request header is used. | ||
Line 33: | Line 32: | ||
2020-08-28 00:09:53.907:INFO:oejs.DoSFilter:qtp2036958521-120413:https:https://mail.zimbrasupportlab.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=john.doe%40zimbrasupportlab.com&DeviceId=C89158839E9&DeviceType=iPhone: Ignoring malformed remote address <span style="color:lime">xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy</span> | 2020-08-28 00:09:53.907:INFO:oejs.DoSFilter:qtp2036958521-120413:https:https://mail.zimbrasupportlab.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=john.doe%40zimbrasupportlab.com&DeviceId=C89158839E9&DeviceType=iPhone: Ignoring malformed remote address <span style="color:lime">xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy</span> | ||
<code>xxx.xxx.xxx.xxx</code> -> IP address of the Originating client from where request originated or was initiated. <br> | <code>xxx.xxx.xxx.xxx</code> -> IP address of the Originating client from where the request originated or was initiated. <br> | ||
<code>yyy.yyy.yyy.yyy</code> -> First Proxy server which will send request to another proxy server or the destination server. <br> | <code>yyy.yyy.yyy.yyy</code> -> First Proxy server which will send request to another proxy server or the destination server. <br> | ||
Line 39: | Line 38: | ||
If there is only one proxy server which forwards request directly to destination server then oip will have only one entry (i.e. for Originating client IP). | If there is only one proxy server which forwards request directly to destination server then oip will have only one entry (i.e. for Originating client IP). | ||
<hr> | <hr> | ||
==Modify Nginx Templates files for correct OIP logging== | ==Modify Nginx Templates files for correct OIP logging== |
Latest revision as of 06:57, 23 September 2020
How to fix multiple OIP logging issue?
Overview
OIP stands for Originating Client IP Address. Mailboxd assigns OIP value from the HTTP Request header field 'X-Forwarded-For'.
When a client connects to the Zimbra WebClient through an HTTP proxy or a load balancer and once the traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. To see the original IP address of the client, the X-Forwarded-For request header is used.
This is the general format of 'X-Forwarded-For' request header.
X-Forwarded-For: <client>, <proxy1>, <proxy2>
Where the value is a comma-separated list of the IP addresses, the left-most being the original client IP address, and each successive proxy that passed the request adding the IP address where it received the request from.
This means, the right-most IP address is the IP address of the most recent proxy and the left-most IP address is the IP address of the originating client.
Sample log entries:
2020-08-26 10:00:38.074:INFO:oejs.DoSFilter:qtp1684106402-771:http://localhost/service/soap/GetInfoRequest: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy 2020-08-26 00:19:26.942:INFO:oejs.DoSFilter:qtp1874154700-1750041:http://localhost/service/soap/AuthRequest: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy
2019-08-26 06:46:36,965 INFO [qtp1874154700-1886919:http://localhost/service/soap/AuthRequest] [name=john.doe@zimbrasupportlab.com.com;oip=xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy;ua=zclient/8.8.15_GA_1728;soapId=39504524;] soap - AuthRequest elapsed=1 2020-08-26 07:27:53,459 INFO [qtp1874154700-1900882:http://localhost/service/soap/AutoCompleteRequest] [name=john.doe@zimbrasupportlab.com.com;mid=28;oip=xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy;ua=zclient/8.8.15_GA_1728;soapId=39505079;] gal - autocomplete: overall=296ms, ranking=227ms, folder=2ms, gal=67ms
2020-08-28 00:09:41.837:INFO:oejs.DoSFilter:qtp2036958521-120378:https:https://mail.zimbrasupportlab.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=john.doe%40zimbrasupportlab.com&DeviceId=C89158839E9&DeviceType=iPhone: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy 2020-08-28 00:09:53.907:INFO:oejs.DoSFilter:qtp2036958521-120413:https:https://mail.zimbrasupportlab.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=john.doe%40zimbrasupportlab.com&DeviceId=C89158839E9&DeviceType=iPhone: Ignoring malformed remote address xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy
xxx.xxx.xxx.xxx
-> IP address of the Originating client from where the request originated or was initiated.
yyy.yyy.yyy.yyy
-> First Proxy server which will send request to another proxy server or the destination server.
If there are multiple proxy servers then the left most will always be the IP address of the Originating client.
If there is only one proxy server which forwards request directly to destination server then oip will have only one entry (i.e. for Originating client IP).
Modify Nginx Templates files for correct OIP logging
[As ROOT user]
1) Take backup of existing Nginx conf directory.
cp -pvr /opt/zimbra/conf/nginx /opt/zimbra/conf/nginx-`date +"%d-%m-%Y"`
2) Replace $proxy_add_x_forwarded_for
with $http_x_forwarded_for
in the all template files under /opt/zimbra/conf/nginx/templates.
sed -i 's/$proxy_add_x_forwarded_for/$http_x_forwarded_for/g' /opt/zimbra/conf/nginx/templates/*
3) Restart proxy service.
zmproxyctl restart
Note: If multiple zimbra-proxy servers present in the setup then make these changes on all zimbra-proxies.
Submitted by: Heera Singh Koranga |