You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jan Kaluža <jk...@redhat.com> on 2016/01/07 15:25:59 UTC
Shouldn't ap_get_remote_host use req->useragent_addr?
Hi,
When httpd is running behind a reverse proxy and mod_remoteip is
configured, the correct client IP is logged (using %a in the LogFormat),
but the proxy IP is used by 'Require host .mydomain.net'. I would expect
the host based on IP provided by mod_remoteip to be used here.
Is this expected behaviour? Maybe the ap_get_remote_host method should
use req->useragent_addr instead of conn->client_addr to obtain the
REMOTE_HOST.
Or we could introduce new env variable and new auth_provider to work
with real remote_host of the client even when it is behind the proxy.
Regards,
Jan Kaluza
Re: Shouldn't ap_get_remote_host use req->useragent_addr?
Posted by Tim Bannister <is...@c8h10n4o2.org.uk>.
On 8 January 2016 06:23:15 GMT, "Jan Kaluža" <jk...@redhat.com> wrote:
>On 01/07/2016 04:06 PM, Eric Covener wrote:
>>
>>> Is this expected behaviour? Maybe the ap_get_remote_host method
>should use
>>> req->useragent_addr instead of conn->client_addr to obtain the
>REMOTE_HOST.
>>
>> what about "Require ip ..."?
“ip” is a minimal and doesn't explain much.
How about, maybe:
Require remote-ip-host 192.0.2.42/30?
I'm assuming that this would succeed if the TCP peer is in the specified range OR if mod_remoteip makes a similar declaration.
--
Tim Bannister – isoma@c8h10n4o2.org.uk
Re: Shouldn't ap_get_remote_host use req->useragent_addr?
Posted by Jan Kaluža <jk...@redhat.com>.
On 01/07/2016 04:06 PM, Eric Covener wrote:
> On Thu, Jan 7, 2016 at 9:25 AM, Jan Kaluža <jk...@redhat.com> wrote:
>> When httpd is running behind a reverse proxy and mod_remoteip is configured,
>> the correct client IP is logged (using %a in the LogFormat), but the proxy
>> IP is used by 'Require host .mydomain.net'. I would expect the host based on
>> IP provided by mod_remoteip to be used here.
>>
>> Is this expected behaviour? Maybe the ap_get_remote_host method should use
>> req->useragent_addr instead of conn->client_addr to obtain the REMOTE_HOST.
>
> what about "Require ip ..."?
>
This would work, but we should clarify that in documentation then,
because both "Require ip" and "Require host" use term "remote client" in
their description, but for "Require ip", mod_remoteip is respected,
while for "Require host", the mod_remoteip is not respected.
I think this is really confusing.
Regards,
Jan Kaluza
Re: Shouldn't ap_get_remote_host use req->useragent_addr?
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Thu, Feb 11, 2016 at 10:14 AM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:
> On Thu, Jan 7, 2016 at 9:06 AM, Eric Covener <co...@gmail.com> wrote:
>
>> On Thu, Jan 7, 2016 at 9:25 AM, Jan Kaluža <jk...@redhat.com> wrote:
>> > When httpd is running behind a reverse proxy and mod_remoteip is
>> configured,
>> > the correct client IP is logged (using %a in the LogFormat), but the
>> proxy
>> > IP is used by 'Require host .mydomain.net'. I would expect the host
>> based on
>> > IP provided by mod_remoteip to be used here.
>> >
>> > Is this expected behaviour? Maybe the ap_get_remote_host method should
>> use
>> > req->useragent_addr instead of conn->client_addr to obtain the
>> REMOTE_HOST.
>>
>> what about "Require ip ..."?
>>
>
> I agree that require host should track to the same entity as the require
> ip,
> which means the behavior right now is incorrect.
>
> There could be a Require conn-ip / conn-host that looks "around" the
> request
> based user agent down to the connection level user agent (proxy) address.
>
> But this mismatch is unnecessarily confusing, and what the original
> remoteip
> module was meant to avoid.
>
This is already tracked as
https://bz.apache.org/bugzilla/show_bug.cgi?id=55348
- another side effect of the same issue.
Re: Shouldn't ap_get_remote_host use req->useragent_addr?
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Thu, Jan 7, 2016 at 9:06 AM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Jan 7, 2016 at 9:25 AM, Jan Kaluža <jk...@redhat.com> wrote:
> > When httpd is running behind a reverse proxy and mod_remoteip is
> configured,
> > the correct client IP is logged (using %a in the LogFormat), but the
> proxy
> > IP is used by 'Require host .mydomain.net'. I would expect the host
> based on
> > IP provided by mod_remoteip to be used here.
> >
> > Is this expected behaviour? Maybe the ap_get_remote_host method should
> use
> > req->useragent_addr instead of conn->client_addr to obtain the
> REMOTE_HOST.
>
> what about "Require ip ..."?
>
I agree that require host should track to the same entity as the require ip,
which means the behavior right now is incorrect.
There could be a Require conn-ip / conn-host that looks "around" the request
based user agent down to the connection level user agent (proxy) address.
But this mismatch is unnecessarily confusing, and what the original remoteip
module was meant to avoid.
Re: Shouldn't ap_get_remote_host use req->useragent_addr?
Posted by Eric Covener <co...@gmail.com>.
On Thu, Jan 7, 2016 at 9:25 AM, Jan Kaluža <jk...@redhat.com> wrote:
> When httpd is running behind a reverse proxy and mod_remoteip is configured,
> the correct client IP is logged (using %a in the LogFormat), but the proxy
> IP is used by 'Require host .mydomain.net'. I would expect the host based on
> IP provided by mod_remoteip to be used here.
>
> Is this expected behaviour? Maybe the ap_get_remote_host method should use
> req->useragent_addr instead of conn->client_addr to obtain the REMOTE_HOST.
what about "Require ip ..."?