From b8defe329e0049572ffe302db7d2a8dd9dd60bd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Fri, 17 Apr 2020 11:38:37 +0200
Subject: [PATCH] Apache: enabled & configured mod_remoteip

This module makes it possible to do access control & logging based on
client's real IP address, rather than the internal IP address of HaProxy.
---
 docker/4_run/Dockerfile           | 3 ++-
 docker/4_run/apache/apache2.conf  | 6 +++---
 docker/4_run/apache/remoteip.conf | 2 ++
 3 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 docker/4_run/apache/remoteip.conf

diff --git a/docker/4_run/Dockerfile b/docker/4_run/Dockerfile
index a2af29b..95c3046 100755
--- a/docker/4_run/Dockerfile
+++ b/docker/4_run/Dockerfile
@@ -38,8 +38,9 @@ ENV USE_X_SENDFILE True
 EXPOSE 80
 EXPOSE 5000
 
+ADD apache/remoteip.conf /etc/apache2/mods-available/
 ADD apache/wsgi-py36.* /etc/apache2/mods-available/
-RUN a2enmod rewrite && a2enmod wsgi-py36
+RUN a2enmod remoteip & a2enmod rewrite && a2enmod wsgi-py36
 
 ADD apache/apache2.conf /etc/apache2/apache2.conf
 ADD apache/000-default.conf /etc/apache2/sites-available/000-default.conf
diff --git a/docker/4_run/apache/apache2.conf b/docker/4_run/apache/apache2.conf
index b708f0d..112bc78 100644
--- a/docker/4_run/apache/apache2.conf
+++ b/docker/4_run/apache/apache2.conf
@@ -133,9 +133,9 @@ AccessFileName .htaccess
 # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
 # Use mod_remoteip instead.
 #
-LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
-LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
-LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%v:%p %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%a %l %u %t \"%r\" %>s %O" common
 LogFormat "%{Referer}i -> %U" referer
 LogFormat "%{User-agent}i" agent
 
diff --git a/docker/4_run/apache/remoteip.conf b/docker/4_run/apache/remoteip.conf
new file mode 100644
index 0000000..dec34eb
--- /dev/null
+++ b/docker/4_run/apache/remoteip.conf
@@ -0,0 +1,2 @@
+RemoteIPHeader X-Forwarded-For                                                                                                                                                                                                                            │···
+RemoteIPInternalProxy 172.16.0.0/12                                                                                                                                                                                                                       │···