You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Marcin Giedz <ma...@arise.pl> on 2018/01/11 14:10:47 UTC
remoteip module - extended support in 2.4 branch
Hi there,sent the same question to users list but seems like dev is rather better place.
In trunk version remoteip has been extended with some PROXY protocol support. Are there any chances these changes will be backported to 2.4 branch ?
Thx
Marcin
Re: remoteip module - extended support in 2.4 branch
Posted by Marcin Giedz <ma...@arise.pl>.
Perhaps you're right but it really does what I want - at least on test . I did svn from trunk, complied this module and installed on latest 2.4.29. In my env we've got haproxy (pass-through) on the front side and then apaches terminating SSL. There is a need to record real IP address when client requests site. I was able to read this IP using mod_proxy_protocol but there was one downside of it - Proxy mode was enabled for entire virtual host without blacklisting e.g. local flow. Just a few days ago I was reading apache docs and accidentally switch to 2.5 page and found these two options:
RemoteIPProxyProtocol On
RemoteIPProxyProtocolExceptions 127.0.0.1 192.168.93.0/24
there was one mark saying - these are available in 2.4 starting from 2.4.28 (afair) but... ended up with what you suggested and seems like got what I wanted. Does this make more sense ?
Thx
Marcin
Od: "William A Rowe Jr" <wr...@rowe-clan.net>
Do: "dev" <de...@httpd.apache.org>
Wysłane: piątek, 12 styczeń 2018 19:11:42
Temat: Re: remoteip module - extended support in 2.4 branch
You are confusing functionality. the remoteip evaluation happens after
the proxy protocol endpoints are identified. PROXY is a
connection-oriented change of the apparent request origin. The
remoteip behavior is a request-oriented change of the apparent origin,
and it can vary from request to request on the same connection.
Right now there is a proxy-specific blacklist to not expect nor
process PROXY headers from specific client IPs/subnets, this directive
has no effect on remoteip's trust list.
Next, we anticipate a proxy-specific whitelist to enable processing of
PROXY headers only from specific client IPs/subnets. It would still be
followed by the blacklist exclusions.
The net result is a binary decision of whether PROXY header is or is
not expected, and therefore required. There was once an 'optional'
behavior, but we noted the ambiguity would lead to security concerns.
After the PROXY handling is complete, remoteip can further intervene,
request-by-request.
On Thu, Jan 11, 2018 at 10:56 PM, Marcin Giedz <ma...@arise.pl> wrote:
> Thx William, good to hear there are no API changes and module from trunk
> should fit to 2.4 . The most important feature for me is actually one
> disabling PROXY mode for particular IPs - something I can not achieve with
> proxy_protocol external module
>
> M.
>
> ________________________________
> Od: "William A Rowe Jr" <wr...@rowe-clan.net>
> Do: "dev" <de...@httpd.apache.org>
> Wysłane: piątek, 12 styczeń 2018 0:11:19
> Temat: Re: remoteip module - extended support in 2.4 branch
>
> Marcin,
>
> There are no required API changes; you should be able to drop in the trunk
> version of mod_remoteip.c and it should just compiler. Or you can compile
> the trunk module with apxs -c
>
> There is one agreed/anticipated change, to enable PROXY protocol on a remote
> client IP basis (e.g. enable for proxy machines' IPs but not for other local
> traffic.) That should be the primary delta between what is in trunk and what
> will ship in 2.4.
>
> Other questions such as splitting this off into a mod_proxy_protocol module
> are up in the air, and shouldn't affect the module behavior.
>
>
> On Jan 11, 2018 10:33 AM, "Marcin Giedz" <ma...@arise.pl> wrote:
>
> is there any timeline for this ? or I should build httpd myself from trunk ?
>
> ________________________________
> Od: "Eric Covener" <co...@gmail.com>
> Do: "dev" <de...@httpd.apache.org>
> Wysłane: czwartek, 11 styczeń 2018 15:20:56
> Temat: Re: remoteip module - extended support in 2.4 branch
>
> On Thu, Jan 11, 2018 at 9:10 AM, Marcin Giedz <ma...@arise.pl> wrote:
>> Hi there,sent the same question to users list but seems like dev is rather
>> better place.
>>
>> In trunk version remoteip has been extended with some PROXY protocol
>> support. Are there any chances these changes will be backported to 2.4
>> branch ?
>
> There are chances, but there is some disagreement over how/where (part
> of remoteip or not is one dimension of it)
>
>
>
Re: remoteip module - extended support in 2.4 branch
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
You are confusing functionality. the remoteip evaluation happens after
the proxy protocol endpoints are identified. PROXY is a
connection-oriented change of the apparent request origin. The
remoteip behavior is a request-oriented change of the apparent origin,
and it can vary from request to request on the same connection.
Right now there is a proxy-specific blacklist to not expect nor
process PROXY headers from specific client IPs/subnets, this directive
has no effect on remoteip's trust list.
Next, we anticipate a proxy-specific whitelist to enable processing of
PROXY headers only from specific client IPs/subnets. It would still be
followed by the blacklist exclusions.
The net result is a binary decision of whether PROXY header is or is
not expected, and therefore required. There was once an 'optional'
behavior, but we noted the ambiguity would lead to security concerns.
After the PROXY handling is complete, remoteip can further intervene,
request-by-request.
On Thu, Jan 11, 2018 at 10:56 PM, Marcin Giedz <ma...@arise.pl> wrote:
> Thx William, good to hear there are no API changes and module from trunk
> should fit to 2.4 . The most important feature for me is actually one
> disabling PROXY mode for particular IPs - something I can not achieve with
> proxy_protocol external module
>
> M.
>
> ________________________________
> Od: "William A Rowe Jr" <wr...@rowe-clan.net>
> Do: "dev" <de...@httpd.apache.org>
> Wysłane: piątek, 12 styczeń 2018 0:11:19
> Temat: Re: remoteip module - extended support in 2.4 branch
>
> Marcin,
>
> There are no required API changes; you should be able to drop in the trunk
> version of mod_remoteip.c and it should just compiler. Or you can compile
> the trunk module with apxs -c
>
> There is one agreed/anticipated change, to enable PROXY protocol on a remote
> client IP basis (e.g. enable for proxy machines' IPs but not for other local
> traffic.) That should be the primary delta between what is in trunk and what
> will ship in 2.4.
>
> Other questions such as splitting this off into a mod_proxy_protocol module
> are up in the air, and shouldn't affect the module behavior.
>
>
> On Jan 11, 2018 10:33 AM, "Marcin Giedz" <ma...@arise.pl> wrote:
>
> is there any timeline for this ? or I should build httpd myself from trunk ?
>
> ________________________________
> Od: "Eric Covener" <co...@gmail.com>
> Do: "dev" <de...@httpd.apache.org>
> Wysłane: czwartek, 11 styczeń 2018 15:20:56
> Temat: Re: remoteip module - extended support in 2.4 branch
>
> On Thu, Jan 11, 2018 at 9:10 AM, Marcin Giedz <ma...@arise.pl> wrote:
>> Hi there,sent the same question to users list but seems like dev is rather
>> better place.
>>
>> In trunk version remoteip has been extended with some PROXY protocol
>> support. Are there any chances these changes will be backported to 2.4
>> branch ?
>
> There are chances, but there is some disagreement over how/where (part
> of remoteip or not is one dimension of it)
>
>
>
Re: remoteip module - extended support in 2.4 branch
Posted by Marcin Giedz <ma...@arise.pl>.
Thx William, good to hear there are no API changes and module from trunk should fit to 2.4 . The most important feature for me is actually one disabling PROXY mode for particular IPs - something I can not achieve with proxy_protocol external module
M.
Od: "William A Rowe Jr" <wr...@rowe-clan.net>
Do: "dev" <de...@httpd.apache.org>
Wysłane: piątek, 12 styczeń 2018 0:11:19
Temat: Re: remoteip module - extended support in 2.4 branch
Marcin,
There are no required API changes; you should be able to drop in the trunk version of mod_remoteip.c and it should just compiler. Or you can compile the trunk module with apxs -c
There is one agreed/anticipated change, to enable PROXY protocol on a remote client IP basis (e.g. enable for proxy machines' IPs but not for other local traffic.) That should be the primary delta between what is in trunk and what will ship in 2.4.
Other questions such as splitting this off into a mod_proxy_protocol module are up in the air, and shouldn't affect the module behavior.
On Jan 11, 2018 10:33 AM, "Marcin Giedz" < marcin.giedz@arise.pl > wrote:
is there any timeline for this ? or I should build httpd myself from trunk ?
Od: "Eric Covener" < covener@gmail.com >
Do: "dev" < dev@httpd.apache.org >
Wysłane: czwartek, 11 styczeń 2018 15:20:56
Temat: Re: remoteip module - extended support in 2.4 branch
On Thu, Jan 11, 2018 at 9:10 AM, Marcin Giedz < marcin.giedz@arise.pl > wrote:
> Hi there,sent the same question to users list but seems like dev is rather
> better place.
>
> In trunk version remoteip has been extended with some PROXY protocol
> support. Are there any chances these changes will be backported to 2.4
> branch ?
There are chances, but there is some disagreement over how/where (part
of remoteip or not is one dimension of it)
Re: remoteip module - extended support in 2.4 branch
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
Marcin,
There are no required API changes; you should be able to drop in the trunk
version of mod_remoteip.c and it should just compiler. Or you can compile
the trunk module with apxs -c
There is one agreed/anticipated change, to enable PROXY protocol on a
remote client IP basis (e.g. enable for proxy machines' IPs but not for
other local traffic.) That should be the primary delta between what is in
trunk and what will ship in 2.4.
Other questions such as splitting this off into a mod_proxy_protocol module
are up in the air, and shouldn't affect the module behavior.
On Jan 11, 2018 10:33 AM, "Marcin Giedz" <ma...@arise.pl> wrote:
is there any timeline for this ? or I should build httpd myself from trunk
?
------------------------------
*Od: *"Eric Covener" <co...@gmail.com>
*Do: *"dev" <de...@httpd.apache.org>
*Wysłane: *czwartek, 11 styczeń 2018 15:20:56
*Temat: *Re: remoteip module - extended support in 2.4 branch
On Thu, Jan 11, 2018 at 9:10 AM, Marcin Giedz <ma...@arise.pl> wrote:
> Hi there,sent the same question to users list but seems like dev is rather
> better place.
>
> In trunk version remoteip has been extended with some PROXY protocol
> support. Are there any chances these changes will be backported to 2.4
> branch ?
There are chances, but there is some disagreement over how/where (part
of remoteip or not is one dimension of it)
Re: remoteip module - extended support in 2.4 branch
Posted by Marcin Giedz <ma...@arise.pl>.
is there any timeline for this ? or I should build httpd myself from trunk ?
Od: "Eric Covener" <co...@gmail.com>
Do: "dev" <de...@httpd.apache.org>
Wysłane: czwartek, 11 styczeń 2018 15:20:56
Temat: Re: remoteip module - extended support in 2.4 branch
On Thu, Jan 11, 2018 at 9:10 AM, Marcin Giedz <ma...@arise.pl> wrote:
> Hi there,sent the same question to users list but seems like dev is rather
> better place.
>
> In trunk version remoteip has been extended with some PROXY protocol
> support. Are there any chances these changes will be backported to 2.4
> branch ?
There are chances, but there is some disagreement over how/where (part
of remoteip or not is one dimension of it)
Re: remoteip module - extended support in 2.4 branch
Posted by Eric Covener <co...@gmail.com>.
On Thu, Jan 11, 2018 at 9:10 AM, Marcin Giedz <ma...@arise.pl> wrote:
> Hi there,sent the same question to users list but seems like dev is rather
> better place.
>
> In trunk version remoteip has been extended with some PROXY protocol
> support. Are there any chances these changes will be backported to 2.4
> branch ?
There are chances, but there is some disagreement over how/where (part
of remoteip or not is one dimension of it)