My log filled just my complete EC2 HDD because apache remoteip spams my logs full with "RemoteIPProxyProtocol: unsupported command 20". This is caused by the health checks of AWS's NLB - which sends LOCAL ver_cmd proxy headers to check for problems. This is (according to the spec https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) a valid ver_cmd and shouldn't cause these kind of log spam. See "9. Sample code" for details.
Created attachment 36986 [details] Patch to prevent from logging local proxy connections
(In reply to Giovanni Bechis from comment #1) > Created attachment 36986 [details] > Patch to prevent from logging local proxy connections desk-checking patch and not too familiar with this module/protocol, should we be returning over the apr_sockaddr_ip_get() below the switch?
Created attachment 36992 [details] prevent logging local proxy connections From protocol specs (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt): "...When used with a LOCAL command, the receiver must accept the connection and ignore any address information...." The updated patch doesn't compute the client ip in the local connection case.
Doing "return HDR_DONE" in the LOCAL case looks simpler
Created attachment 36993 [details] prevent logging local proxy connections Looks fine as well, diff updated.
Committed to trunk in r1874344.
This looks to be not working still. Since, we are checking for if (!conn_config->client_addr) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03496) "RemoteIPProxyProtocol data is missing, but required! Aborting request."); return HTTP_BAD_REQUEST; } We still return 400 Bad requests. We may need to do something like below under switch statement case 0x00: /* LOCAL command */ case 0x01: /* PROXY command */ switch (hdr->v2.fam) { case 0x11: /* TCPv4 */ ret = apr_sockaddr_info_get(&conn_conf->client_addr, NULL, APR_INET, ntohs(hdr->v2.addr.ip4.src_port), 0, c->pool And go ahead parsing client info even for LOCAL and so that conn_config->client_addr is populated.
Btw, I was developing proxy protocol for my company and found across this issue still. is the above mentioned fix is fine ? what's your opinion ? Thanks, Avinash
Created attachment 37712 [details] don't log 400 for LOCAL PROXY connections Can you try this patch? We really need a test suite for this stuff. :(
Hi Joe, This patch is working fine. Hi Joe, would like to contribute in bug fixes/new features. Could you please help me in providing details on process for the same. Thanks, Avinash
(In reply to Avinash S from comment #10) > would like to contribute in bug fixes/new features. > Could you please help me in providing details on process for the same. Thanks for proposing! The best way to contribute is to propose the patch(es) and rationale on the dev@httpd.apache.org mailing list, or for existing bugzilla tickets simply attach the proposed fix there.
I'm having the same problem caused by AWS's NLB use of LOCAL. I have tried the two patches and it successfully stopped the "RemoteIPProxyProtocol: unsupported command 20" and the log of 400 errors which makes the NLB health check pass. However, I'm still seeing a bunch of these happening which are generated by the same health check requests: [remoteip:error] [pid 9861:tid 140156862461504] (70014)End of file found: [client 10.0.0.x:22257] AH10184: failed reading input
*** Bug 62866 has been marked as a duplicate of this bug. ***
Still seeing the same errors in Apache/2.4.53, any idea when this patch will be merged? Thanks.