You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@httpd.apache.org by GitBox <gi...@apache.org> on 2021/10/30 02:40:19 UTC

[GitHub] [httpd] sriccio commented on pull request #68: Extending mod_remoteip to support Host/Port/Protocol mangling natively

sriccio commented on pull request #68:
URL: https://github.com/apache/httpd/pull/68#issuecomment-955132392


   Hello,
   
   We're using Caddy as a TLS terminator for our apache. Caddy communicates with apache using http on localhost.
   For compatibility reason with other modules we need to use apache 2.4.37 (centos package) and we found this patch for mod_remoteip that seems to work on 2.4.37 after a bit of editing.
   
   Here is the patch:
   https://gist.github.com/sriccio/5199659169d867570dd7adf82a6abb40
   
   However, with our config:
   
   ```
   # Let apache know we're behind a SSL reverse proxy (caddy)
   <IfModule mod_remoteip.c>
           RemoteIPHeader "X-Forwarded-For"
           RemotePortHeader "X-Port"
           RemoteProtoHeader "X-Forwarded-Proto"
           RemoteAllowOnlyInternalProxies on
           RemoteIPInternalProxy 127.0.0.0/8
   </IfModule>
   ```
   
   It works as long as we request the homepages of the sites.  (https://site.tld).
   As soon as we try to request anything else (https://site.tld/whatever) it returns a 403 access denied.
   
   We found out that setting `RemoteAllowOnlyInternalProxies on` to `off` resolves the issue, but I'm curious about if that should happen.
   
   All requests to apache are being made by Caddy through loopback interface and they are declared as InternalProxies.
   
   Could this be a bug of the patch or I'm misunderstanding the meaning of InternalProxies ?
   
   Thanks a lot for the help.
   
   Kind regards.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org
For additional commands, e-mail: notifications-help@httpd.apache.org