Forum

Hi Hugo,

In the past I used UseGZfile as the following

Directory {
        Path = /usr/local/www/blog_example_tld/wp-content/themes
        UseGZfile = yes
}

Reading the man page it say
Does this mean that on the new version I don't have to use UseGZfile inside a directory anymore?
Do I just put UseGZfile = yes in my VirtualHost {} ?

Also I am not sure I understand what HideProxy do?
Sorry english is my second language, could you please explain a little bit differently please?

No, since v10.0 you don't have to use UseGZfile anymore. Hiawatha takes care of the compression automatically.

What HideProxy does is make the reverse proxy in front of Hiawatha invisible to the CGI application. Since it is the reverse proxy that connects to the webserver, an application on sees the IP of the reverse proxy as the client. When set, Hiawatha uses the IP from the X-Forwarded-For header as the client's IP.

Thank you for taking the time to reply..
SO if HideProxy is on, what IP address will I then see in my exploit.log file?
At the moment (HideProxy disable) I can see the list of all the client IP that tried to abuse the webserver.
Will I still be able to see the origal Ip or only the IP of the proxy?

If HideProxy is on and the reverse proxy in front of Hiawatha sets the X-Forwarded-For header correctly, it will use the IP set in that header as the IP address of the client. That's the IP address that CGI applications will see. The exploit.log may contain the IP address of the proxy, because some exploit attempts are detected during the parsing of the request. The parsing will then not be completed, so the X-Forwarded-For header will not be seen then. It will however be available in the dump of the request in the exploit logfile.

If you disable HideProxy, you will see the IP address of the proxy as the client's IP and the actual client's IP will be set in the X-Forwarded-For header.