You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2010/08/28 22:16:39 UTC
DO NOT REPLY [Bug 49839] New: mod_remoteip: ErrorDocument causes
proxy's IP to be logged
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
Summary: mod_remoteip: ErrorDocument causes proxy's IP to be
logged
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Other Modules
AssignedTo: bugs@httpd.apache.org
ReportedBy: voltara@gmail.com
Confirmed with httpd-2.3.6 (patched with the segmentation fault patch I
attached to ticket 49838), built with the following options:
./configure --with-included-apr --with-mpm=prefork
When using mod_remoteip, requests handled by an ErrorDocument ignore the
mod_remoteip settings. (The wrong IP is logged to access_log; the wrong
REMOTE_ADDR is passed to a PHP-script ErrorDocument.)
(However, the "[client 1.2.3.4:12345] File does not exist:" entry in error_log
*does* log the correct address.)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49839] mod_remoteip: ErrorDocument causes proxy's
IP to be logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
--- Comment #8 from William A. Rowe Jr. <wr...@apache.org> 2011-12-19 22:39:47 UTC ---
I agree with you that internal subrequests shouldn't be processed.
I'm having trouble with denying these to internal redirects. If the initial
vhost/location is not configured for mod_remoteip parsing, but the subsequent
location is configured (because it is mapped to an app uri space, for example),
then that subsequent location won't be processed correctly.
Comments?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49839] mod_remoteip: ErrorDocument causes proxy's
IP to be logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
--- Comment #1 from William A. Rowe Jr. <wr...@apache.org> 2010-08-28 16:36:01 EDT ---
Did you in fact set up the remoteip settings in a global context (or the
context
of the virtual host), or strictly in the context of specific
directories/locations
... if the later you would need to include the error document's context.
It is all going to depend on whether the error is noted before or after the
connection is established and the headers parsed and adjusted; this is as
designed.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49839] mod_remoteip: ErrorDocument causes proxy's
IP to be logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
--- Comment #6 from Andrew Skalski <vo...@gmail.com> 2011-12-14 19:31:01 UTC ---
(In reply to comment #5)
> (In reply to comment #4)
> > Are there any plans to apply this bug fix? I have been using the attached
> > patch for almost a full year without any problems.
>
> I Andrew,
> I applied this patch but it doesn't resolve the issue (with my patched version
> which also include backport to 2.2 and patch for bug 49272) :
>
> when a 404 is sent, the RemoteIPHeader is logged in the errorlog but the Proxy
> IP is logged in the access log. do you confirm ?
That is how the unpatched mod_remoteip behaves. The attached patch to
remoteip_modify_connection() should have corrected the problem. I tested by
backporting the 2.3.15-beta mod_remoteip.c to compile against 2.2.20-prefork on
an Ubuntu machine, and the patch on this ticket worked as expected.
The only change I had to make to compile the 2.3.15-beta module against 2.2.20
was one line:
<AP_DECLARE_MODULE(remoteip) = {
>module AP_MODULE_DECLARE_DATA remoteip_module = {
The fixes for bugs 49272 and 49838 are already included in 2.3.15-beta.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49839] mod_remoteip: ErrorDocument causes proxy's
IP to be logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
--- Comment #2 from Andrew Skalski <vo...@gmail.com> 2010-08-28 17:01:43 EDT ---
My reduced test case is based on the stock httpd.conf, which is not configured
with virtual hosts. So yes, the configuration is in the global context.
I will poke around at it a bit more today. Here's what I have so far:
It looks like remoteip_modify_connection gets called twice when an
ErrorDocument is triggered. The first pass through, it successfully modifies
the remote IP; the second pass, it reverts back to the proxy IP.
Breakpoint 1, remoteip_modify_connection (r=0x1aec3a0) at mod_remoteip.c:222
[Sat Aug 28 16:53:33.551855 2010] [info] [pid 11585] [client 1.2.3.4:49009]
Using 1.2.3.4 as client's IP by proxies 127.0.0.1
[Sat Aug 28 16:54:28.524987 2010] [error] [pid 11585] [client
1.2.3.4:49009] File does not exist: /usr/local/apache2/htdocs/blah
Breakpoint 1, remoteip_modify_connection (r=0x1ae89e8) at mod_remoteip.c:222
127.0.0.1 - - [28/Aug/2010:16:52:38 -0400] "GET /blah HTTP/1.1" 404 45
(Don't mind the timestamps; I was single-stepping through with gdb. The log
entries all came from the same HTTP request.)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 49839] mod_remoteip: ErrorDocument causes proxy's IP to be
logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
Andrew Skalski <vo...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #9 from Andrew Skalski <vo...@gmail.com> ---
This issue was resolved in httpd-2.3.16 as a consequence of SVN r1208378
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49839] mod_remoteip: ErrorDocument causes proxy's
IP to be logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
--- Comment #3 from Andrew Skalski <vo...@gmail.com> 2010-08-28 20:10:08 EDT ---
Created an attachment (id=25957)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25957)
proposed bugfix
The attached patch changes remoteip_modify_connection() to run only once per
request.
The issue I encountered with ErrorRedirect was caused by the handler running
again on every internal redirect/subrequest. Because it removes the proxy IP
from the X-Forwarded-For (X-Client-IP) header, each iteration of
remoteip_modify_connection would take a different IP from the comma-separated
list, until the list was exhausted.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49839] mod_remoteip: ErrorDocument causes proxy's
IP to be logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
--- Comment #5 from Thomas.jouas@gmail.com 2011-12-14 13:05:28 UTC ---
(In reply to comment #4)
> Are there any plans to apply this bug fix? I have been using the attached
> patch for almost a full year without any problems.
I Andrew,
I applied this patch but it doesn't resolve the issue (with my patched version
which also include backport to 2.2 and patch for bug 49272) :
when a 404 is sent, the RemoteIPHeader is logged in the errorlog but the Proxy
IP is logged in the access log. do you confirm ?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49839] mod_remoteip: ErrorDocument causes proxy's
IP to be logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
Thomas.jouas@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Thomas.jouas@gmail.com
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49839] mod_remoteip: ErrorDocument causes proxy's
IP to be logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
--- Comment #4 from Andrew Skalski <vo...@gmail.com> 2011-07-19 16:04:38 UTC ---
Are there any plans to apply this bug fix? I have been using the attached
patch for almost a full year without any problems.
Reproducing the bug is straightforward:
1) Compile 2.3.12-beta from sources
2) Add the following to httpd.conf (global scope is OK):
Listen 8080
RemoteIPHeader X-IP
RemoteIPTrustedProxy 127.0.0.0/8 ::1
ErrorDocument 404 /index.html
3) Start up httpd and watch the access_log:
# The /index.html file exists, so this works fine:
$ curl -H'X-IP: 11.22.33.44' http://localhost:8080/index.html
11.22.33.44 - - [19/Jul/2011:11:21:52 -0400] "GET /index.html HTTP/1.1" 200 45
# However, anything that hits the ErrorDocument does not:
$ curl -H'X-IP: 11.22.33.44' http://localhost:8080/asdfasdfasdf
127.0.0.1 - - [19/Jul/2011:11:22:55 -0400] "GET /asdfasdfasdf HTTP/1.1" 404 45
# And here is how it behaves when multiple, comma-separated addresses are
given...
# Correct behavior:
$ curl -H'X-IP: 2000::1, 11.22.33.44' http://localhost:8080/index.html
11.22.33.44 - - [19/Jul/2011:12:01:59 -0400] "GET /index.html HTTP/1.1" 200 45
# Incorrect behavior:
$ curl -H'X-IP: 2000::1, 11.22.33.44' http://localhost:8080/asdfasdfasdf
2000::1 - - [19/Jul/2011:12:02:24 -0400] "GET /asdfasdfasdf HTTP/1.1" 404 45
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49839] mod_remoteip: ErrorDocument causes proxy's
IP to be logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
taffy-tyler6464@hotmail.co.uk changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |taffy-tyler6464@hotmail.co.
| |uk
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49839] mod_remoteip: ErrorDocument causes proxy's
IP to be logged
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49839
--- Comment #7 from Thomas.jouas@gmail.com 2011-12-19 11:26:03 UTC ---
(In reply to comment #6)
don't know what went wrong in my previous test, I reapplied the patch over the
2.3.15-beta mod_remoteip.c and can confirm you that it works fine and fixed the
bug.
Thanks
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org