Access log records "hits" from only 1 IP

[SLMHC]

Apache 2.0 on a Windows Box run my companies intranet server, access only avaiable to my internal network.

Access log ran from June 2003 to March 2005 as normal. It recorded each IP that hit the server. Since the 1st weeked of March the majority (95%) of hits come from 1 IP. The other hits are recored from 2 other IPS.

Server configuration has not changed. The only sfotware added was AWStats. I first installed it in late March.

Anyone have any ideas, or have seen this before?

-Dave

 

[Wishdiak]

SLMHC,

Has anything changed with networking equipment (routers, switches, firewalls) or web proxies on your network?

What piece of equipment (computer or router/switch/firewall) do the 95% of hits come from?

Wishdiak
A+, Network+, Security+, MCSA: Security 2003

http://www.wishdiak.com

 

[SLMHC]

The hits come from our PDC.

We did install symantec web proxy about that time. thankyou for jogging my memory. that has to be the answer. that makes sense too because i use firefox most of the time and my IP is one of the ones that the server logs. The proxy is on our PDC.

I guess the next question will be is there any way to get the actuall client IP and not the proxy servers IP?

-Dave

 

[NullTerminator]

Do your internal clients gain anything by routing through the proxy?

If not, either tell the proxy to just forward local addresses directly, or tell the clients not to use the proxy.

To do it client side, set up a proxy.pac file with an exlusion for your local domains and address ranges, snippet below. Make it availablke through one of your webservers.

/* The one and only function required in proxy.pac */
function FindProxyForURL(url, host) {
if (shExpMatch(host, "192.168.*")) {
return "DIRECT";
}
if(shExpMatch(host, "127.*")) {
return "DIRECT";
}

if (host == "myIntranet.com"
|| host == "myQADomain.com")
return "DIRECT";

if (shExpMatch(host, "216.*")
|| shExpMatch(host, "63.*")
|| shExpMatch(host, "66.*")
|| shExpMatch(host, "64.*")
|| shExpMatch(host, "212.*")) {
return "DIRECT";
}
// ELSE
return "PROXY

http://symantec.proxy.mydomain.com";

} // end function FindProxyForURL

// OPTIONALLY RETURN multiple proxies
return "PROXY

http://symantec.proxy.mydomain.com;

http://anotherproxy...";

both IE, Netscape and firefox can all be configured to use this proxy.pac file via their settings or options menu

 

[NullTerminator]

Do your internal clients gain anything by routing through the proxy?

If not, either tell the proxy to just forward local addresses directly, or tell the clients not to use the proxy.

To do it client side, set up a proxy.pac file with an exlusion for your local domains and address ranges, snippet below. Make it available on one of your internal webservers.

/* The one and only function required in proxy.pac */
function FindProxyForURL(url, host) {
if (shExpMatch(host, "192.168.*")) {
return "DIRECT";
}
if(shExpMatch(host, "127.*")) {
return "DIRECT";
}

if (host == "myIntranet.com"
|| host == "myQADomain.com")
return "DIRECT";

if (shExpMatch(host, "216.*")
|| shExpMatch(host, "63.*")
|| shExpMatch(host, "66.*")
|| shExpMatch(host, "64.*")
|| shExpMatch(host, "212.*")) {
return "DIRECT";
}
// ELSE
return "PROXY

http://symantec.proxy.mydomain.com";

} // end function FindProxyForURL

// OPTIONALLY RETURN multiple proxies
return "PROXY

http://symantec.proxy.mydomain.com;

http://anotherproxy...";

both IE, Netscape and firefox can all be configured to use this proxy.pac file via their settings or options menu

 

[SLMHC]

We use the proxy to limit the websites that our users can access.

Ill take a look at the server config of the proxy, i know that I have added our internal url to the list of always allowed sites.

-Dave

 

[NullTerminator]

Its not that the internal sites should be allowed, it should be indicated that they not be proxied at all just sent direct.

I'm not sure if your proxy can be set that way. Squid can be, here's how to do it in apache

http://httpd.apache.org/docs-2.0/mod/mod_proxy.html#noproxy

Here's a reference on setting up your client browser's to bypass the proxy as well. Its old but is still behaves as expected in the latest versions of nearly all browsers, mozilla, Netscape, IE, Firefox,,,

http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

Jeb Beasley
\0

 

[Wishdiak]

Its not that the internal sites should be allowed, it should be indicated that they not be proxied at all just sent direct.

Right.

I'm not sure if your proxy can be set that way.

I'm pretty sure it can. Is this a software-based Firewall ( Symantec Enterprise Firewall) or hardware-based ( Symantec Gateway Security appliance)? I didn't find anything when Googling 'symantec web proxy'.

Wishdiak
A+, Network+, Security+, MCSA: Security 2003

http://www.wishdiak.com

 

[SLMHC]

Symantec Web Security is the name.

-Dave

 

[NullTerminator]

From what little I can find from symantec on the subject it looks like all requests are filtered. If you need to log client ips on intranet I suggest setting up apache as a proxy in front of the Symantec Web Security product.

Set up a mask for internal hosts and subnets with the NoProxy Directive, and use the ProxyRemote directive for everything else going through the symantec product.

Or back to the original suggestion.... Set up a proxy.pac file so local requests never go through symantec. (No apache proxy needed for that. No performance issues. But, no filtering either.)

Hope this is of some use...

Jeb Beasley
\0

 

[SLMHC]

we push the setting for our proxy through Group Policy. There was a field that you could add sites that are not passed through the proxy. This has done the trick. AWStats is reading the full functioning Apache Logs once again.

-Dave