You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@httpd.apache.org by GitBox <gi...@apache.org> on 2021/08/29 07:26:44 UTC

[GitHub] [httpd] AlexAT edited a comment on pull request #191: Reimplementation of remoteip-rpaf for 2.4.48

AlexAT edited a comment on pull request #191:
URL: https://github.com/apache/httpd/pull/191#issuecomment-907743668


   I think this also needs some justification about how it's usable. This one was made with shared hosting clusters and frontend-to-backend splits in mind.
   
   - RemoteAllowOnlyInternalProxies is rather trivial, it allows only your trusted frontends to connect, denying all direct requests to backend servers, a safety measure.
   - RemoteHostHeader and RemotePortHeader apply respective header contents after virtual host selection and allow to define a single virtual host for backend, performing real hostname and port mapping on frontends. All .htaccess and other configuration subrequests like rewrite are done to the original virtual host defined in the backend, while i.e. backend scripts see the original Host/Port that were accessed, thinking they are actually running with the specified hostname/port and generating proper URLs from this data. So you can i.e. call your virtual host 'cmr1234.mydomain.com' and map 'yourcustomerhost.com' to 'cmr1234.mydomain.com' on the proxying frontend, sending Host of 'cmr1234.mydomain.com' in the request to backend, and specific headers for the original host/port accessed.
   - RemoteProtoHeader / RemoteHTTPSEnableProto is a widely used feature supplement. It allows to perform all SSL on frontend balancers, while running backend over HTTP only in a trusted network, removing SSL overhead from backends. This allows to create a header to inform backend scripts and other dynamic stuff the original request came via SSL to make it generate HTTPS URLs while the backend will always serve unencrypted. This also affects rewrite conditions so i.e. SSL=on/off dependent rules may be used. This feature removes the need of tricky SSL/non-SSL state propagation to backends, faking SSL state on the backend.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org
For additional commands, e-mail: notifications-help@httpd.apache.org