You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by el...@apache.org on 2016/12/30 18:20:05 UTC
svn commit: r1776616 - in /httpd/httpd/trunk/docs/manual/mod:
mod_remoteip.html.en mod_remoteip.xml.fr mod_remoteip.xml.meta
Author: elukey
Date: Fri Dec 30 18:20:04 2016
New Revision: 1776616
URL: http://svn.apache.org/viewvc?rev=1776616&view=rev
Log:
Documentation rebuild for mod_remoteip
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_remoteip.html.en
httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.fr
httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.meta
Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.html.en?rev=1776616&r1=1776615&r2=1776616&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.html.en Fri Dec 30 18:20:04 2016
@@ -47,6 +47,12 @@ via the request headers.
with the useragent IP address reported in the request header configured
with the <code class="directive"><a href="#remoteipheader">RemoteIPHeader</a></code> directive.</p>
+ <p>Additionally, this module implements the server side of
+ HAProxy's
+ <a href="http://blog.haproxy.com/haproxy/proxy-protocol/">Proxy Protocol</a> when
+ using the <code class="directive"><a href="#remoteipproxyprotocolenable">RemoteIPProxyProtocolEnable</a></code>
+ directive.</p>
+
<p>Once replaced as instructed, this overridden useragent IP address is
then used for the <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>
<code class="directive"><a href="../mod/mod_authz_core.html#require">Require ip</a></code>
@@ -69,6 +75,7 @@ via the request headers.
<li><img alt="" src="../images/down.gif" /> <a href="#remoteipinternalproxy">RemoteIPInternalProxy</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#remoteipinternalproxylist">RemoteIPInternalProxyList</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#remoteipproxiesheader">RemoteIPProxiesHeader</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#remoteipproxyprotocol">RemoteIPProxyProtocol</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#remoteiptrustedproxy">RemoteIPTrustedProxy</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#remoteiptrustedproxylist">RemoteIPTrustedProxyList</a></li>
</ul>
@@ -77,6 +84,7 @@ via the request headers.
<li><code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code></li>
<li><code class="module"><a href="../mod/mod_status.html">mod_status</a></code></li>
<li><code class="module"><a href="../mod/mod_log_config.html">mod_log_config</a></code></li>
+<li><a href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt">Proxy Protocol Spec</a></li>
<li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
@@ -219,6 +227,69 @@ RemoteIPProxiesHeader X-Forwarded-By</pr
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="RemoteIPProxyProtocol" id="RemoteIPProxyProtocol">RemoteIPProxyProtocol</a> <a name="remoteipproxyprotocol" id="remoteipproxyprotocol">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable, optionally enable or disable the proxy protocol handling</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ProxyProtocol On|Optional|Off</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
+</table>
+ <p>The <code class="directive">RemoteIPProxyProtocolEnable</code> enables or
+ disables the reading and handling of the proxy protocol connection header.
+ If enabled with the <code>On</code> flag, the upstream client <em>must</em>
+ send the header every time it opens a connection or the connection will
+ be aborted. If enabled with the <code>Optional</code> flag, the upstream
+ client <em>may</em> send the header.</p>
+
+ <p>While this directive may be specified in any virtual host, it is
+ important to understand that because the proxy protocol is connection
+ based and protocol agnostic, the enabling and disabling is actually based
+ on ip-address and port. This means that if you have multiple name-based
+ virtual hosts for the same host and port, and you enable it any one of
+ them, then it is enabled for all them (with that host and port). It also
+ means that if you attempt to enable the proxy protocol in one and disable
+ in the other, that won't work; in such a case the last one wins and a
+ notice will be logged indicating which setting was being overridden.</p>
+
+ <div class="note">When multiple virtual hosts on the same IP and port are
+ configured with a combination of <code>On</code> and <code>Optional</code>
+ flags, connections will not be aborted if the header is not sent.
+ Instead, enforcement will happen after the request is read so virtual
+ hosts configured with <code>On</code> will return a 400 Bad Request.
+ Virtual hosts configured with <code>Optional</code> will continue as
+ usual but without replacing the client IP information</div>
+
+ <pre class="prettyprint lang-config">Listen 80
+<VirtualHost *:80>
+ ServerName www.example.com
+ RemoteIPProxyProtocolEnable Optional
+
+ #Requests to this virtual host may optionally not have
+ # a proxy protocol header provided
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName www.example.com
+ RemoteIPProxyProtocolEnable On
+
+ #Requests to this virtual host must have a proxy protocol
+ # header provided. If it is missing, a 400 will result
+</VirtualHost>
+
+Listen 8080
+<VirtualHost *:8080>
+ ServerName www.example.com
+ RemoteIPProxyProtocolEnable On
+
+ #Requests to this virtual host must have a proxy protocol
+ # header provided. If it is missing, the connection will
+ # be aborted
+</VirtualHost></pre>
+
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="RemoteIPTrustedProxy" id="RemoteIPTrustedProxy">RemoteIPTrustedProxy</a> <a name="remoteiptrustedproxy" id="remoteiptrustedproxy">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Restrict client IP addresses trusted to present the RemoteIPHeader value</td></tr>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.fr
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.fr?rev=1776616&r1=1776615&r2=1776616&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.fr [utf-8] (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.fr [utf-8] Fri Dec 30 18:20:04 2016
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>
-<!-- English Revision: 1704683 -->
+<!-- English Revision: 1704683:1776578 (outdated) -->
<!-- French translation : Lucien GENTIS -->
<!-- Reviewed by : Vincent Deffontaines -->
Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.meta
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.meta?rev=1776616&r1=1776615&r2=1776616&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.meta (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.meta Fri Dec 30 18:20:04 2016
@@ -8,6 +8,6 @@
<variants>
<variant>en</variant>
- <variant>fr</variant>
+ <variant outdated="yes">fr</variant>
</variants>
</metafile>
Re: svn commit: r1776616 - in /httpd/httpd/trunk/docs/manual/mod:
mod_remoteip.html.en mod_remoteip.xml.fr mod_remoteip.xml.meta
Posted by Luca Toscano <to...@gmail.com>.
2016-12-30 20:07 GMT+01:00 Daniel Ruggeri <DR...@primary.net>:
> On 12/30/2016 12:47 PM, Luca Toscano wrote:
> > I personally like a lot RemoteIPProxyProtocol (rather than
> > RemoteIPProxyProtocolEnable that seems a bit heavy to read), but
> > everything is fine as long as we use a single name, especially in the
> > logs that admins will read :)
> >
> > I haven't checked the code in detail so I might say something
> > completely irrelevant, just writing the first things that I noticed!
>
> Hrm - yes... these are inconsistencies that came up as I was renaming
> stuff and moving it around. I also like the suggestion to shorten the
> name since "Enable" is repetitive... I have adjusted the references to
> be RemoteIPProxyProtocol in docs and code, fixed references to the
> "PROXY protocol" to align with the case that HAProxy uses as well as
> removed the mod_proxy_protocol module in r1776624. Thanks for the pointer.
Just updated the mod_remoteip doc after your last commit, it looks really
nice now! Thanks a lot!
Luca
Re: svn commit: r1776616 - in /httpd/httpd/trunk/docs/manual/mod:
mod_remoteip.html.en mod_remoteip.xml.fr mod_remoteip.xml.meta
Posted by Daniel Ruggeri <DR...@primary.net>.
On 12/30/2016 12:47 PM, Luca Toscano wrote:
> I personally like a lot RemoteIPProxyProtocol (rather than
> RemoteIPProxyProtocolEnable that seems a bit heavy to read), but
> everything is fine as long as we use a single name, especially in the
> logs that admins will read :)
>
> I haven't checked the code in detail so I might say something
> completely irrelevant, just writing the first things that I noticed!
Hrm - yes... these are inconsistencies that came up as I was renaming
stuff and moving it around. I also like the suggestion to shorten the
name since "Enable" is repetitive... I have adjusted the references to
be RemoteIPProxyProtocol in docs and code, fixed references to the
"PROXY protocol" to align with the case that HAProxy uses as well as
removed the mod_proxy_protocol module in r1776624. Thanks for the pointer.
--
Daniel Ruggeri
Re: svn commit: r1776616 - in /httpd/httpd/trunk/docs/manual/mod:
mod_remoteip.html.en mod_remoteip.xml.fr mod_remoteip.xml.meta
Posted by Luca Toscano <el...@apache.org>.
Hi Daniel and Jim,
I saw your comments in one of the last email thread about Daniel's new code
change for mod_remoteip, and I have some questions for the doc about the
naming of the new directive:
2016-12-30 19:20 GMT+01:00 <el...@apache.org>:
> Author: elukey
> Date: Fri Dec 30 18:20:04 2016
> New Revision: 1776616
>
> URL: http://svn.apache.org/viewvc?rev=1776616&view=rev
> Log:
> Documentation rebuild for mod_remoteip
>
> Modified:
> httpd/httpd/trunk/docs/manual/mod/mod_remoteip.html.en
> httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.fr
> httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml.meta
>
> + using the <code class="directive"><a href="#
> remoteipproxyprotocolenable">RemoteIPProxyProtocolEnable</a>
> +<div class="directive-section"><h2><a name="RemoteIPProxyProtocol"
> id="RemoteIPProxyProtocol">RemoteIPProxyProtocol</a> <a
> name="remoteipproxyprotocol" id="remoteipproxyprotocol">Directive</a></h2>
>
> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ProxyProtocol
> On|Optional|Off</code></td></tr>
In the above snippets I can see three different names:
RemoteIPProxyProtocolEnable, RemoteIPProxyProtocol and ProxyProtocol. The
new directive in the C code is called RemoteIPProxyProtocolEnable, but I
can see new logs using also RemoteIPProxyProtocol (like
"RemoteIPProxyProtocol: internal error: have data left over; ").
I personally like a lot RemoteIPProxyProtocol (rather than
RemoteIPProxyProtocolEnable that seems a bit heavy to read), but everything
is fine as long as we use a single name, especially in the logs that admins
will read :)
I haven't checked the code in detail so I might say something completely
irrelevant, just writing the first things that I noticed!
Luca