{"id":575,"date":"2008-03-27T00:55:28","date_gmt":"2008-03-27T03:55:28","guid":{"rendered":"http:\/\/www.fonz.net\/blog\/archives\/2008\/03\/27\/information-on-mod_usertrack-akamai-and-caching-proxies\/"},"modified":"2008-03-27T00:58:19","modified_gmt":"2008-03-27T03:58:19","slug":"information-on-mod_usertrack-akamai-and-caching-proxies","status":"publish","type":"post","link":"https:\/\/www.fonz.net\/blog\/archives\/2008\/03\/27\/information-on-mod_usertrack-akamai-and-caching-proxies\/","title":{"rendered":"information on mod_usertrack, akamai, and caching proxies"},"content":{"rendered":"<p>I found the following information to be missing from the <a href=\"http:\/\/httpd.apache.org\/docs\/2.2\/mod\/mod_usertrack.html\">mod_usertrack docs<\/a>.  I&#8217;m putting it here so I don&#8217;t forget this semi-useful information.  Hopefully it will also save someone else the need to read through the source code to figure this stuff out.  (as a side note, I dislike reading through C code)<\/p>\n<p>This information applies to the current releases of <a href=\"http:\/\/httpd.apache.org\">apache httpd<\/a> (2.2.8, 2.0.63, and 1.3.4).  Considering mod_usertrack hasn&#8217;t seen any signficant changes in years, I can&#8217;t imagine this will be outdated anytime soon.<\/p>\n<ul>\n<li>mod_user track generates cookie whose contents are IP  +  timestamp.  I.E. if the IP which generates the request is <strong><font color=\"#cc0000\">10.0.0.1<\/font><\/strong> and the current unix time is <strong><font color=\"#cc0000\">120658819<\/font><\/strong>, the cookie will contain:  <strong><font color=\"#cc0000\">10.0.0.1.<\/font><\/strong><strong><font color=\"#cc0000\">120658819\n<p><\/font><\/strong><\/li>\n<li>mod_usertrack generates  this string  for the cooking by calling ap_get_remote_host() and  concatenating the results with  apr_time_now()<\/li>\n<li>ap_get_remote_host()  will returns the DNS name or the IP address of the remote host.  It determines this IP based on the TCP\/IP connection and NOT from the HTTP headers at Layer 7.<\/li>\n<li>As a result, if users access your web server via akamai&#8217;s content delivery network, a caching proxy, or some other intermediary  the IP that returned by  ap_get_remote_host() will not be the IP of the user.  It will be the IP of the the intermediary (ie akamai edge server, proxy server, etc).  You should therefore not count on this being the actual users IP.  Get that information from the HTTP headers if you can.  This will often be preserved in X-Forwarded-For, as well as other places.<\/li>\n<li>I REPEAT DO NOT COUNT ON THIS TO BEING THE ACTUAL USERS IP ADDRESS.   People seem to do this quite often, even though the documentation DOES NOT say you can count on it being  the users IP, or even that the cookie will contain the users IP.<\/li>\n<li>If enough users are accessing your server via the same proxy\/akamai edge server\/other intermediary it is possible that 2 users will end up with the same cookie value.  Therefore it is theoretically possible for this value to not be unique to an individual user.  Not to mention that even if it were the remote users IP, it could still be non-unique if multiple users are located behind a nat.<\/li>\n<\/ul>\n<p>With all of the above items in mind, there are patches which exist to have mod_usertrack make use of X-Forwarded-For and\/or mod_uuid to generate the cookie value.   I&#8217;m currently working on a patch to make this a configuration directive  via the apache config file.   However, considering that these other patches have existed for years and have not been integrated, I have little to no hope that our patch would be.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I found the following information to be missing from the mod_usertrack docs. I&#8217;m putting it here so I don&#8217;t forget this semi-useful information. Hopefully it will also save someone else the need to read through the source code to figure this stuff out. (as a side note, I dislike reading through C code) This information [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.fonz.net\/blog\/wp-json\/wp\/v2\/posts\/575"}],"collection":[{"href":"https:\/\/www.fonz.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fonz.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fonz.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fonz.net\/blog\/wp-json\/wp\/v2\/comments?post=575"}],"version-history":[{"count":0,"href":"https:\/\/www.fonz.net\/blog\/wp-json\/wp\/v2\/posts\/575\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.fonz.net\/blog\/wp-json\/wp\/v2\/media?parent=575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fonz.net\/blog\/wp-json\/wp\/v2\/categories?post=575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fonz.net\/blog\/wp-json\/wp\/v2\/tags?post=575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}