You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Igor Galić <i....@brainsware.org> on 2012/03/30 17:16:31 UTC
[users@httpd] mod_remoteip: Hiding in plain sight
Hi folks,
I'm using wrowe's backported version of mod_remoteip[1][2] to for
httpd 2.2, while hiding behind an Apache Traffic Server.
My configuration is basically this:
# we're behind a proxy, but no one needs to know:
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 127.0.0.1/8 176.9.55.235 192.168.122.235/24
while in ATS I have set
CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
(no, actually I haven't it's the default)
The only problem is: It doesn't do a thing.
igalic@tynix ~ % curl http://brainswear.at/t.php 2>/dev/null| ack -i remote_a\|forw
[REMOTE_ADDR] => 127.0.0.1
Is this supposed to strip X-Forwarded-For headers?
Is it supposed to not modify REMOTE_ADDRESS (because it says it would)
What's it supposed to do? Does it work? Has anyone tested it?
So long,
i
[1] http://people.apache.org/~wrowe/httpd-2.2-ports/mod_remoteip.c
[2] http://httpd.apache.org/docs/current/mod/mod_remoteip.html
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: mod_remoteip: Hiding in plain sight
Posted by Leif Hedstrom <zw...@apache.org>.
On 3/30/12 9:16 AM, Igor Galić wrote:
> Hi folks,
>
> I'm using wrowe's backported version of mod_remoteip[1][2] to for
> httpd 2.2, while hiding behind an Apache Traffic Server.
>
> My configuration is basically this:
>
> # we're behind a proxy, but no one needs to know:
> RemoteIPHeader X-Forwarded-For
> RemoteIPTrustedProxy 127.0.0.1/8 176.9.55.235 192.168.122.235/24
>
> while in ATS I have set
>
> CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
>
> (no, actually I haven't it's the default)
>
But what do you see between ATS and HTTPD ? XFF is for ATS to communicate to
the Origin(s) what the real client IP is. You wouldn't see it in the
response back to the client, I'm pretty sure. I use this all the time, and
it definitely works for me, e.g.:
+++++++++ Proxy's Request +++++++++
-- State Machine Id: 2
GET / HTTP/1.1
User-Agent: curl/7.21.7 (x86_64-redhat-linux-gnu) libcurl/7.21.7
NSS/3.13.3.0 zlib/1.2.5 libidn/1.22 libssh2/1.2.7
Host: www.yahoo.com
Accept: */*
Client-ip: 127.0.0.1
X-Forwarded-For: 127.0.0.1
Via: http/1.1 loki.ogre.com[FE8000000000000002016CFFFE63288A]
(ApacheTrafficServer/3.1.4-unstable [uScMs f p eN:t cCMi p s ])
-- Leif
-- Leif