[PATCH] ProxyAddXHeaders for mod_proxy

[Dziugas Baltrunas <dz...@gmail.com>]

Hi list,

for those of us who are using Apache HTTPD as a "internet" proxy (a
combination of forward and reverse proxy modes) it's important that
requests going to the remote servers (which are not "known" backends
but anonymous boxes in this case) would look the same independently
whether the original request came in reverse or forward fashion.

Currently mod_proxy_http adds X-Forwarded-* headers unconditionally
when we have a reverse proxy request and never for forward proxy
requests.

Attached patch adds a new ProxyAddXHeaders directive with a possible
options of On|Off|ReverseOnly, later option leaving the default in
order not to break compatibility with current configurations. With
this option it is possible to always add X-Forwarded-For,
X-Forwarded-Host and X-Forwarded-Server headers for both reverse and
forward proxy modes, for reverse proxy only or not to add them at all.

Comments and suggestions are welcome.

-- 
Dziugas Baltrunas

Re: [PATCH] ProxyAddXHeaders for mod_proxy

[Dziugas Baltrunas <dz...@baltrunas.lt>]

Hi, Nick,

if you recall my initial paragraph, I'm here to address the
configuration of httpd acting as a generic HTTP proxy which is able to
handle both a standard (forward proxy mode) and transparent (reverse
proxy mode) proxy requests. This is the same what other proxy servers
(like Squid) do.

For this to achieve I use 'ProxyRequests On' together with couple of
mod_rewrite rules with [P] flag (but not ProxyPass rules since every
remote host needs to be proxied).

The problem is that with current mod_proxy_http outgoing http request
is dependant on how the original request was made to httpd. If
original request was in "forward" fashion, no X-Forwarded-* headers
are added to the outgoing request. Otherwise, for reverse proxy
requests "Privacy Note" comes into play and additional X-Forwarded-*
headers become visible (i.e. added by httpd) for remote hosts.

The intention was not to distinguish the way on how the original
request was made and stay consistent (that is, always add some headers
or never) when forwarding the request to a remote host.

I hope now the problem should be more clear.

On 4/4/07, Nick Kew <ni...@webthing.com> wrote:
> On Wed, 4 Apr 2007 12:08:15 +0300
> "Dziugas Baltrunas" <dz...@baltrunas.lt> wrote:
>
> > Hi,
> >
> > any commens/objections on this patch?
>
> Hmmm ... not sure I understand the problem you're fixing.
>
> > > > Currently mod_proxy_http adds X-Forwarded-* headers
> > > > unconditionally when we have a reverse proxy request and never
> > > > for forward proxy requests.
>
> I'm guessing this is the crux of your point.
> In the source code is a comment headed "Privacy Note", comprising
> three paragraphs explaining this behaviour.  Perhaps it would be
> useful if you could address that comment directly.
>
> Also useful would be if you could explain what information
> you want is actually being lost in a forward proxy (if indeed
> that is your underlying problem)?
>
> --
> Nick Kew
>
> Application Development with Apache - the Apache Modules Book
> http://www.apachetutor.org/
>


-- 
Dziugas Baltrunas
http://dziugas.baltrunas.lt/

Re: [PATCH] ProxyAddXHeaders for mod_proxy

[Nick Kew <ni...@webthing.com>]

On Wed, 4 Apr 2007 12:08:15 +0300
"Dziugas Baltrunas" <dz...@baltrunas.lt> wrote:

> Hi,
> 
> any commens/objections on this patch?

Hmmm ... not sure I understand the problem you're fixing.

> > > Currently mod_proxy_http adds X-Forwarded-* headers
> > > unconditionally when we have a reverse proxy request and never
> > > for forward proxy requests.

I'm guessing this is the crux of your point.
In the source code is a comment headed "Privacy Note", comprising
three paragraphs explaining this behaviour.  Perhaps it would be 
useful if you could address that comment directly.

Also useful would be if you could explain what information
you want is actually being lost in a forward proxy (if indeed
that is your underlying problem)?

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Re: [PATCH] ProxyAddXHeaders for mod_proxy

[Dziugas Baltrunas <dz...@baltrunas.lt>]

Hi,

any commens/objections on this patch?

On 2/28/07, Dziugas Baltrunas <dz...@gmail.com> wrote:
> Hi, list,
>
> attaching same patch with small correction to the one submitted
> previously (was unnecessary double check for PROXYREQ_REVERSE).
>
> Patch is for httpd-2.2.x branch.
>
> On 2/28/07, Dziugas Baltrunas <dz...@gmail.com> wrote:
> > Hi list,
> >
> > for those of us who are using Apache HTTPD as a "internet" proxy (a
> > combination of forward and reverse proxy modes) it's important that
> > requests going to the remote servers (which are not "known" backends
> > but anonymous boxes in this case) would look the same independently
> > whether the original request came in reverse or forward fashion.
> >
> > Currently mod_proxy_http adds X-Forwarded-* headers unconditionally
> > when we have a reverse proxy request and never for forward proxy
> > requests.
> >
> > Attached patch adds a new ProxyAddXHeaders directive with a possible
> > options of On|Off|ReverseOnly, later option leaving the default in
> > order not to break compatibility with current configurations. With
> > this option it is possible to always add X-Forwarded-For,
> > X-Forwarded-Host and X-Forwarded-Server headers for both reverse and
> > forward proxy modes, for reverse proxy only or not to add them at all.
> >
> > Comments and suggestions are welcome.
> >
> > --
> > Dziugas Baltrunas
> >
> >
>
>
> --
> Dziugas Baltrunas
>
>


-- 
Dziugas Baltrunas
http://dziugas.baltrunas.lt/

Re: [PATCH] ProxyAddXHeaders for mod_proxy

[Dziugas Baltrunas <dz...@baltrunas.lt>]

Hi,

looks like same patch works with the trunk out of the box.

However, attaching same patch against the trunk branch.

Short instructions to test it:

1. Apply the patch.
2. Compile httpd with mod_proxy and mox_rewrite enabled.
3. Add the following lines to httpd.conf:

ProxyRequests On
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !^proxy:
RewriteRule ^(.*)$ http://%{HTTP_HOST}$1 [NS,L,P]

4. Test behaviour on remote (proxied) site:

* ProxyAddXHeaders Off -- no X-Forwarded-* headers present;
* ProxyAddXHeaders On -- X-Forwarded-* headers always present.
* ProxyAddXHeaders ReverseOnly -- X-Forwarded-* headers present only
in a reverse proxy request (this is the default and behaviour is same
as without the patch).

On 4/4/07, Jim Jagielski <ji...@jagunet.com> wrote:
>
> On Feb 28, 2007, at 11:59 AM, Dziugas Baltrunas wrote:
>
> > Hi, list,
> >
> > attaching same patch with small correction to the one submitted
> > previously (was unnecessary double check for PROXYREQ_REVERSE).
> >
> > Patch is for httpd-2.2.x branch.
> >
>
> Patches should be against trunk. Once approved
> and "proven" in the trunk environ, then they
> may be proposed for backporting to 2.2.x
>
>
>


-- 
Dziugas Baltrunas
http://dziugas.baltrunas.lt/

Re: [PATCH] ProxyAddXHeaders for mod_proxy

[Jim Jagielski <ji...@jaguNET.com>]

On Feb 28, 2007, at 11:59 AM, Dziugas Baltrunas wrote:

> Hi, list,
>
> attaching same patch with small correction to the one submitted
> previously (was unnecessary double check for PROXYREQ_REVERSE).
>
> Patch is for httpd-2.2.x branch.
>

Patches should be against trunk. Once approved
and "proven" in the trunk environ, then they
may be proposed for backporting to 2.2.x

Re: [PATCH] ProxyAddXHeaders for mod_proxy

[Dziugas Baltrunas <dz...@gmail.com>]

Hi, list,

attaching same patch with small correction to the one submitted
previously (was unnecessary double check for PROXYREQ_REVERSE).

Patch is for httpd-2.2.x branch.

On 2/28/07, Dziugas Baltrunas <dz...@gmail.com> wrote:
> Hi list,
>
> for those of us who are using Apache HTTPD as a "internet" proxy (a
> combination of forward and reverse proxy modes) it's important that
> requests going to the remote servers (which are not "known" backends
> but anonymous boxes in this case) would look the same independently
> whether the original request came in reverse or forward fashion.
>
> Currently mod_proxy_http adds X-Forwarded-* headers unconditionally
> when we have a reverse proxy request and never for forward proxy
> requests.
>
> Attached patch adds a new ProxyAddXHeaders directive with a possible
> options of On|Off|ReverseOnly, later option leaving the default in
> order not to break compatibility with current configurations. With
> this option it is possible to always add X-Forwarded-For,
> X-Forwarded-Host and X-Forwarded-Server headers for both reverse and
> forward proxy modes, for reverse proxy only or not to add them at all.
>
> Comments and suggestions are welcome.
>
> --
> Dziugas Baltrunas
>
>


-- 
Dziugas Baltrunas