You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Martynas Bendorius <ma...@martynas.it> on 2014/08/17 23:34:17 UTC

Apache 2.4 - incorrect (proxy, but not user) IP on server-status page

Hello,

Would anyone be willing to review 
https://issues.apache.org/bugzilla/attachment.cgi?id=31706&action=diff 
and merge it to the trunk if it looks fine? It changes 
connection->client_ip to useragent_ip in scoreboard, so it might affect 
some other things, however that seems to be the only smart way for now 
to fix the bug.

Thank you!

-- 
Best regards,
Martynas Bendorius

Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by Jim Jagielski <ji...@jaguNET.com>.
Cool.
On Sep 12, 2014, at 8:57 AM, Martynas Bendorius <ma...@martynas.it> wrote:

> Super! I've tested it and it solves all the problems with mod_status. Thank you.
> 
> Best regards,
> Martynas Bendorius
> 
> On 9/12/14 3:46 PM, Jim Jagielski wrote:
>> Fixed in:
>> 
>>     http://svn.apache.org/r1624349
>> 
>> On Sep 11, 2014, at 12:23 PM, Jim Jagielski <ji...@jaguNET.com> wrote:
>> 
>>> Well, fixing this *specifically* for mod_status is
>>> easy, but, as you say, the problem is more systemic
>>> than that.
>>> 
>>> On Sep 11, 2014, at 12:13 PM, wrowe@rowe-clan.net wrote:
>>> 
>>>> --------- Original Message ---------
>>>> Subject: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
>>>> From: "Jim Jagielski" <ji...@jaguNET.com>
>>>> Date: 9/11/14 10:45 am
>>>> To: dev@httpd.apache.org
>>>> 
>>>> Ugg. Yeah; we should actually have a complimentary version
>>>> that takes request_req as the param, not conn_rec.
>>>> 
>>>> ap_get_remote_host_r()??
>>>> 
>>>> Considered that.  But that still breaks mod_remoteip's advertised
>>>> behavior against third party modules until they adapt.  So I'd written
>>>> this off as a non-starter :(
>>>> 
>>>> Ugly.
>>>> 
>>>> Indeed
>>> 
>> 
>

Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by Martynas Bendorius <ma...@martynas.it>.
Super! I've tested it and it solves all the problems with mod_status. 
Thank you.

Best regards,
Martynas Bendorius

On 9/12/14 3:46 PM, Jim Jagielski wrote:
> Fixed in:
>
>      http://svn.apache.org/r1624349
>
> On Sep 11, 2014, at 12:23 PM, Jim Jagielski <ji...@jaguNET.com> wrote:
>
>> Well, fixing this *specifically* for mod_status is
>> easy, but, as you say, the problem is more systemic
>> than that.
>>
>> On Sep 11, 2014, at 12:13 PM, wrowe@rowe-clan.net wrote:
>>
>>> --------- Original Message ---------
>>> Subject: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
>>> From: "Jim Jagielski" <ji...@jaguNET.com>
>>> Date: 9/11/14 10:45 am
>>> To: dev@httpd.apache.org
>>>
>>> Ugg. Yeah; we should actually have a complimentary version
>>> that takes request_req as the param, not conn_rec.
>>>
>>> ap_get_remote_host_r()??
>>>
>>> Considered that.  But that still breaks mod_remoteip's advertised
>>> behavior against third party modules until they adapt.  So I'd written
>>> this off as a non-starter :(
>>>
>>> Ugly.
>>>
>>> Indeed
>>
>

Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by Jim Jagielski <ji...@jaguNET.com>.
Fixed in:

    http://svn.apache.org/r1624349

On Sep 11, 2014, at 12:23 PM, Jim Jagielski <ji...@jaguNET.com> wrote:

> Well, fixing this *specifically* for mod_status is
> easy, but, as you say, the problem is more systemic
> than that.
> 
> On Sep 11, 2014, at 12:13 PM, wrowe@rowe-clan.net wrote:
> 
>> --------- Original Message ---------
>> Subject: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
>> From: "Jim Jagielski" <ji...@jaguNET.com>
>> Date: 9/11/14 10:45 am
>> To: dev@httpd.apache.org
>> 
>> Ugg. Yeah; we should actually have a complimentary version
>> that takes request_req as the param, not conn_rec.
>> 
>> ap_get_remote_host_r()??
>> 
>> Considered that.  But that still breaks mod_remoteip's advertised
>> behavior against third party modules until they adapt.  So I'd written
>> this off as a non-starter :(
>> 
>> Ugly. 
>> 
>> Indeed
>

Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by Jim Jagielski <ji...@jaguNET.com>.
Well, fixing this *specifically* for mod_status is
easy, but, as you say, the problem is more systemic
than that.

On Sep 11, 2014, at 12:13 PM, wrowe@rowe-clan.net wrote:

> --------- Original Message ---------
> Subject: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
> From: "Jim Jagielski" <ji...@jaguNET.com>
> Date: 9/11/14 10:45 am
> To: dev@httpd.apache.org
> 
> Ugg. Yeah; we should actually have a complimentary version
> that takes request_req as the param, not conn_rec.
> 
> ap_get_remote_host_r()??
>  
> Considered that.  But that still breaks mod_remoteip's advertised
> behavior against third party modules until they adapt.  So I'd written
> this off as a non-starter :(
>  
> Ugly. 
>  
> Indeed

Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by Reindl Harald <h....@thelounge.net>.
Am 11.09.2014 um 18:13 schrieb wrowe@rowe-clan.net:
>     Subject: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
>     From: "Jim Jagielski" <ji...@jaguNET.com>
>     Date: 9/11/14 10:45 am
>     To: dev@httpd.apache.org
> 
>     Ugg. Yeah; we should actually have a complimentary version
>     that takes request_req as the param, not conn_rec.
> 
>     ap_get_remote_host_r()??
> 
> Considered that.  But that still breaks mod_remoteip's advertised
> behavior against third party modules until they adapt.  So I'd written
> this off as a non-starter :(

yes - please don't break mod_security!

it took me hours of discussions to bring developers to make it
Apache 2.4 compliant and not enforce users to use the unstrusted
"forwarded for" headers not caring about the connection IP

if there needs now to be a change because 2.4.10 behaves
different as a following release it becomes hard to handle

RE: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by wr...@rowe-clan.net.
--------- Original Message --------- Subject: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
From: "Jim Jagielski" <ji...@jaguNET.com>
Date: 9/11/14 10:45 am
To: dev@httpd.apache.org

Ugg. Yeah; we should actually have a complimentary version
 that takes request_req as the param, not conn_rec.

 ap_get_remote_host_r()??
  
Considered that.  But that still breaks mod_remoteip's advertised
behavior against third party modules until they adapt.  So I'd written
this off as a non-starter :(
 
 Ugly. 
  
Indeed

Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by Jim Jagielski <ji...@jaguNET.com>.
Ugg. Yeah; we should actually have a complimentary version
that takes request_req as the param, not conn_rec.

ap_get_remote_host_r()??

Ugly.

On Sep 11, 2014, at 11:28 AM, wrowe@rowe-clan.net wrote:

> However, the API is not going to make this trivial to fix.
>  
> ap_get_remote_host is connection-based.  And that is what mod_authz_host
> is currently relying upon.
>  
> It seems that there needs to be a way for mod_remoteip to override the 
> existing behavior, perhaps ap_set_remote_host(), that will cache the
> request-based on for the lifetime of the request pool.  In the request
> pool cleanup, ap_set_remote_host(c, NULL) would clear that overridden
> request-based host, popping the value back to the cached c-> fields.
>  
> There is also the issue of the timing of setting the scoreboard record.
> All three issues are intertwined.
>  
>  
> --------- Original Message ---------
> Subject: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
> From: "Jim Jagielski" <ji...@jaguNET.com>
> Date: 9/11/14 9:46 am
> To: dev@httpd.apache.org
> 
> Yeah, the more I think about it, ap_get_remote_host() is
> currently broken wrt how it handles useragent_ip and client_ip.
> 
> Will likely try to patch this on trunk sometime today...
> 
> On Sep 11, 2014, at 9:35 AM, Martynas Bendorius <ma...@martynas.it> wrote:
> 
> > Yes, we may re-phrase it like that, if we'd like to fix it in apache source (and not documentation) :) Currently ap_get_remote_host in server/core.c doesn't return useragent_ip, and instead of it we get conn->client_ip.
> > 
> > Best regards,
> > Martynas Bendorius
> > 
> > On 9/11/14 4:21 PM, Jim Jagielski wrote:
> >> isn't the question rather "What should ap_get_remote_host()
> >> return?"?
> >> 
> >> On Sep 11, 2014, at 8:17 AM, Martynas Bendorius <ma...@martynas.it> wrote:
> >> 
> >>> Hello,
> >>> 
> >>> Would it be possible to change the documentation of mod_remoteip for 2.4 (http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html), and get "is reported by mod_status" removed from the page? As it leds Apache customers to believe that it will report a real (useragent) IP instead of a proxy one in server-status page. useragent_ip is not even available in scoreboard, which is used by mod_status, so it's not available for mod_status.
> >>> 
> >>> This has been already discussed here: https://issues.apache.org/bugzilla/show_bug.cgi?id=55886
> >>> 
> >>> Thank you!
> >>> 
> >>> Best regards,
> >>> Martynas Bendorius
> >>> 
> >> 
> >

RE: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by wr...@rowe-clan.net.
However, the API is not going to make this trivial to fix.
 
ap_get_remote_host is connection-based.  And that is what mod_authz_host
is currently relying upon.
 
It seems that there needs to be a way for mod_remoteip to override the 
existing behavior, perhaps ap_set_remote_host(), that will cache the
request-based on for the lifetime of the request pool.  In the request
pool cleanup, ap_set_remote_host(c, NULL) would clear that overridden
request-based host, popping the value back to the cached c-> fields.
 
There is also the issue of the timing of setting the scoreboard record.
All three issues are intertwined.
 
 
--------- Original Message --------- Subject: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
From: "Jim Jagielski" <ji...@jaguNET.com>
Date: 9/11/14 9:46 am
To: dev@httpd.apache.org

Yeah, the more I think about it, ap_get_remote_host() is
 currently broken wrt how it handles useragent_ip and client_ip.
 
 Will likely try to patch this on trunk sometime today...
 
 On Sep 11, 2014, at 9:35 AM, Martynas Bendorius <ma...@martynas.it> wrote:
 
 > Yes, we may re-phrase it like that, if we'd like to fix it in apache source (and not documentation) :) Currently ap_get_remote_host in server/core.c doesn't return useragent_ip, and instead of it we get conn->client_ip.
 > 
 > Best regards,
 > Martynas Bendorius
 > 
 > On 9/11/14 4:21 PM, Jim Jagielski wrote:
 >> isn't the question rather "What should ap_get_remote_host()
 >> return?"?
 >> 
 >> On Sep 11, 2014, at 8:17 AM, Martynas Bendorius <ma...@martynas.it> wrote:
 >> 
 >>> Hello,
 >>> 
 >>> Would it be possible to change the documentation of mod_remoteip for 2.4 (http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html), and get "is reported by mod_status" removed from the page? As it leds Apache customers to believe that it will report a real (useragent) IP instead of a proxy one in server-status page. useragent_ip is not even available in scoreboard, which is used by mod_status, so it's not available for mod_status.
 >>> 
 >>> This has been already discussed here: https://issues.apache.org/bugzilla/show_bug.cgi?id=55886
 >>> 
 >>> Thank you!
 >>> 
 >>> Best regards,
 >>> Martynas Bendorius
 >>> 
 >> 
 >

Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by Jim Jagielski <ji...@jaguNET.com>.
Yeah, the more I think about it,  ap_get_remote_host() is
currently broken wrt how it handles useragent_ip and client_ip.

Will likely try to patch this on trunk sometime today...

On Sep 11, 2014, at 9:35 AM, Martynas Bendorius <ma...@martynas.it> wrote:

> Yes, we may re-phrase it like that, if we'd like to fix it in apache source (and not documentation) :) Currently ap_get_remote_host in server/core.c doesn't return useragent_ip, and instead of it we get conn->client_ip.
> 
> Best regards,
> Martynas Bendorius
> 
> On 9/11/14 4:21 PM, Jim Jagielski wrote:
>> isn't the question rather "What should ap_get_remote_host()
>> return?"?
>> 
>> On Sep 11, 2014, at 8:17 AM, Martynas Bendorius <ma...@martynas.it> wrote:
>> 
>>> Hello,
>>> 
>>> Would it be possible to change the documentation of mod_remoteip for 2.4 (http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html), and get "is reported by mod_status" removed from the page? As it leds Apache customers to believe that it will report a real (useragent) IP instead of a proxy one in server-status page. useragent_ip is not even available in scoreboard, which is used by mod_status, so it's not available for mod_status.
>>> 
>>> This has been already discussed here: https://issues.apache.org/bugzilla/show_bug.cgi?id=55886
>>> 
>>> Thank you!
>>> 
>>> Best regards,
>>> Martynas Bendorius
>>> 
>> 
>

RE: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by wr...@rowe-clan.net.
+1, this is the right question, Jim.
 
>From the docs for mod_remoteip;
 
"This module is used to treat the useragent which initiated the request as the originating useragent as identified by httpd for the purposes of authorization and logging"
 
"The module overrides the client IP address for the connection"
 
"Once replaced as instructed, this overridden useragent IP address is then used"
 
Any other behavior is invalid to users of mod_remoteip.
 
It was correctly observed that there is an intermediate state, following the logging of a request and destruction of the request pool, where the identity of the keep-alive connection truly belongs to the direct-remote user agent, and is no longer an attribute of the proxied request.  Therefore, falling back to the c->remote_addr is entirely appropriate, and that remote_addr must be used as the basis for mod_remoteip to handshake the next reported remote client ip.
 
So here's a +1 to changing the behavior of ap_get_remote_host, as documented, the existing behavior is flawed.
 


--------- Original Message --------- Subject: Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
From: "Martynas Bendorius" <ma...@martynas.it>
Date: 9/11/14 8:35 am
To: dev@httpd.apache.org

Yes, we may re-phrase it like that, if we'd like to fix it in apache 
 source (and not documentation) :) Currently ap_get_remote_host in 
 server/core.c doesn't return useragent_ip, and instead of it we get 
 conn->client_ip.
 
 Best regards,
 Martynas Bendorius
 
 On 9/11/14 4:21 PM, Jim Jagielski wrote:
 > isn't the question rather "What should ap_get_remote_host()
 > return?"?
 >
 > On Sep 11, 2014, at 8:17 AM, Martynas Bendorius <ma...@martynas.it> wrote:
 >
 >> Hello,
 >>
 >> Would it be possible to change the documentation of mod_remoteip for 2.4 (http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html), and get "is reported by mod_status" removed from the page? As it leds Apache customers to believe that it will report a real (useragent) IP instead of a proxy one in server-status page. useragent_ip is not even available in scoreboard, which is used by mod_status, so it's not available for mod_status.
 >>
 >> This has been already discussed here: https://issues.apache.org/bugzilla/show_bug.cgi?id=55886
 >>
 >> Thank you!
 >>
 >> Best regards,
 >> Martynas Bendorius
 >>
 >

Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by Martynas Bendorius <ma...@martynas.it>.
Yes, we may re-phrase it like that, if we'd like to fix it in apache 
source (and not documentation) :) Currently ap_get_remote_host in 
server/core.c doesn't return useragent_ip, and instead of it we get 
conn->client_ip.

Best regards,
Martynas Bendorius

On 9/11/14 4:21 PM, Jim Jagielski wrote:
> isn't the question rather "What should ap_get_remote_host()
> return?"?
>
> On Sep 11, 2014, at 8:17 AM, Martynas Bendorius <ma...@martynas.it> wrote:
>
>> Hello,
>>
>> Would it be possible to change the documentation of mod_remoteip for 2.4 (http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html), and get "is reported by mod_status" removed from the page? As it leds Apache customers to believe that it will report a real (useragent) IP instead of a proxy one in server-status page. useragent_ip is not even available in scoreboard, which is used by mod_status, so it's not available for mod_status.
>>
>> This has been already discussed here: https://issues.apache.org/bugzilla/show_bug.cgi?id=55886
>>
>> Thank you!
>>
>> Best regards,
>> Martynas Bendorius
>>
>

Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by Jim Jagielski <ji...@jaguNET.com>.
isn't the question rather "What should ap_get_remote_host()
return?"?

On Sep 11, 2014, at 8:17 AM, Martynas Bendorius <ma...@martynas.it> wrote:

> Hello,
> 
> Would it be possible to change the documentation of mod_remoteip for 2.4 (http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html), and get "is reported by mod_status" removed from the page? As it leds Apache customers to believe that it will report a real (useragent) IP instead of a proxy one in server-status page. useragent_ip is not even available in scoreboard, which is used by mod_status, so it's not available for mod_status.
> 
> This has been already discussed here: https://issues.apache.org/bugzilla/show_bug.cgi?id=55886
> 
> Thank you!
> 
> Best regards,
> Martynas Bendorius
>

mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page

Posted by Martynas Bendorius <ma...@martynas.it>.
Hello,

Would it be possible to change the documentation of mod_remoteip for 2.4 
(http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html), and get "is 
reported by mod_status" removed from the page? As it leds Apache 
customers to believe that it will report a real (useragent) IP instead 
of a proxy one in server-status page. useragent_ip is not even available 
in scoreboard, which is used by mod_status, so it's not available for 
mod_status.

This has been already discussed here: 
https://issues.apache.org/bugzilla/show_bug.cgi?id=55886

Thank you!

Best regards,
Martynas Bendorius

Re: Apache 2.4 - incorrect (proxy, but not user) IP on server-status page

Posted by Graham Leggett <mi...@sharp.fm>.
On 17 Aug 2014, at 22:34, Martynas Bendorius <ma...@martynas.it> wrote:

> Would anyone be willing to review https://issues.apache.org/bugzilla/attachment.cgi?id=31706&action=diff and merge it to the trunk if it looks fine? It changes connection->client_ip to useragent_ip in scoreboard, so it might affect some other things, however that seems to be the only smart way for now to fix the bug.

Swapping the one IP for the other is definitely the wrong way to go about this. Apache supports both the client and remote IP addresses as first class concepts, the real fix for this is to add the missing IP to the scoreboard.

Regards,
Graham
--