Bug 31311

Summary: Remote user not logged in reverse proxy scenario
Product: Apache httpd-2 Reporter: Roberto <moreda>
Component: mod_log_configAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED LATER    
Severity: enhancement Keywords: MassUpdate, PatchAvailable
Priority: P3    
Version: 2.0-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Patch to retrieve remote user if available in auth headers

Description Roberto 2004-09-20 15:06:39 UTC
Using apache as a reverse proxy in a scenario where the real servers are using
basic authentication, the remote user name is not logged.

Best regards.
Comment 1 Roberto 2004-09-20 15:09:34 UTC
Created attachment 12804 [details]
Patch to retrieve remote user if available in auth headers
Comment 2 Roberto 2004-09-20 15:10:57 UTC
Proposed patch available in previous comment
Comment 3 Joe Orton 2004-09-22 09:20:05 UTC
I don't think this is really correct.  A logged username should mean the user
has been authenticated *to this server*.  If the server is acting as a proxy and
not enforcing authentication itself, then it should not log a username.

Any other opinions?
Comment 4 Roberto 2004-09-22 09:33:55 UTC
Ok, I see.
Could it be more correct a specific extension to log the remote user fowarded to
the real server in reverse proxy scenarios? (I can try to make up another patch).
Any other option to do the trick?
Comment 5 Joe Orton 2004-09-22 09:42:25 UTC
A mod_proxy extension to do this as a new mod_log_config tag (registered using
ap_register_log_handler) would make more sense, I think.  To be correct really
it should extract the username directly from the header and should also support
Digest, so it could get messy.
Comment 6 Nick Kew 2004-09-22 10:13:40 UTC
I tend to agree with Joe's first comment and lean towards WONTFIX.

But is this report correct?   Are you saying the proxy sets r->user to a value
to a value that's meant for the backend server, or is this from Proxy-Authenticate?
Comment 7 Klaus D. Witzel 2007-08-19 16:07:50 UTC
(In reply to comment #6)
> I tend to agree with Joe's first comment and lean towards WONTFIX.

Please fix (see how below), for otherwise the reverse proxy is not usable for 
us.

> But is this report correct?   Are you saying the proxy sets r->user to a value
> to a value that's meant for the backend server, or is this from Proxy-
Authenticate?

If in doubt what data to log then I suggest to make a switch (let the admin 
choose) for what to log in that field.

At our site we cannot build appache2 just because reverse proxy logging is 
incomplete (no offense).

TIA
Comment 8 William A. Rowe Jr. 2018-11-07 21:08:40 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.