However, I have noticed that the %h part is being replaced by the proxy IP address, instead of the real client address.
I have digged in the code and it looks like it's always using the REMOTE_ADDR server param, when it should be first checking the HTTP_X_FORWARDED_FOR one, and if not found, then fall back to REMOTE_ADDR (I think).
It should potentially check HTTP_X_REAL_IP and HTTP_CLIENT_IP first too, as those are common ways to forward real IP addresses from reverse proxies.
Current behavior
When using the %h or %a modifiers for the access logging format, if the app is served behind a reverse proxy, the proxy IP address is logged.
How to reproduce
Set up a mezzio skeleton app, install swoole and mezzio-swoole and add the logger config provided above.
Then put a reverse proxy in front of the app and try accessing it.
Expected behavior
When using the %h or %a modifiers for the access logging format, if the app is served behind a reverse proxy, the real client IP address is logged.
I can provide a fix for this if you think that would be proper solution.
Bug Report
Summary
I have a mezzio app using mezzio-swoole, which is hosted behind a nginx configured as a reverse proxy.
I have configured the access logger like this:
However, I have noticed that the
%h
part is being replaced by the proxy IP address, instead of the real client address.I have digged in the code and it looks like it's always using the
REMOTE_ADDR
server param, when it should be first checking theHTTP_X_FORWARDED_FOR
one, and if not found, then fall back toREMOTE_ADDR
(I think).It should potentially check
HTTP_X_REAL_IP
andHTTP_CLIENT_IP
first too, as those are common ways to forward real IP addresses from reverse proxies.Current behavior
When using the
%h
or%a
modifiers for the access logging format, if the app is served behind a reverse proxy, the proxy IP address is logged.How to reproduce
Set up a mezzio skeleton app, install swoole and mezzio-swoole and add the logger config provided above.
Then put a reverse proxy in front of the app and try accessing it.
Expected behavior
When using the
%h
or%a
modifiers for the access logging format, if the app is served behind a reverse proxy, the real client IP address is logged.I can provide a fix for this if you think that would be proper solution.