Download: httpd-2.4-remoteip-rpaf-2.4.41.patch

Downloading: httpd-2.4-remoteip-rpaf-2.4.41.patch Apache: extending mod_remoteip to support Host/Port/Protocol mangling natively

Configuration directives (in addition to default mod_remoteip configuration):

RemoteHostHeader

Specifying it (i.e. as X-Forwarded-Host) will make the value from the header name specified to transit into 'real' Host header known by Apache. This does not affect virtual host selection, virtual host is still selected from the initial Host header supplied by the directly connecting client (balancer). It only affects the Host header seen by late Apache configuration (rewrites and stuff) and i.e. PHP. In combination with another patch on this blog (UseCanonicalName Host), this can be used to affect SERVER_NAME as well without selecting different virtual host. If the header specified does not exist in the request, the known Host header value is not changed.

RemotePortHeader

Specifying it (i.e. as X-Forwarded-Port) sets server port number known by Apache configuration (and i.e. PHP in SERVER_PORT) to the value in the header with the specified name. If the header specified does not exist, default virtual host or other Apache configuration port value is used.

RemoteProtoHeader

Specifying it (i.e. as X-Forwarded-Proto) makes sure that when header with the name specified exists and carries value matching value specified by RemoteHTTPSEnableProto configuration directive (or just https when RemoteHTTPSEnableProto is omitted), three things will follow:

1) HTTPS environment variable for the request will be set to on, making Apache and i.e. PHP see it (this has a trick ported from mod_rpaf to keep it on internal rewrites)
2) Apache request scheme will be set to https, making i.e. PHP see it and conditions based on it work
3) Makes Apache select port 443 as the default port for the request (i.e. in PHP SERVER_PORT), RemotePortHeader header value will still have priority though if specified

As long as I tested it, it lives quite well with mod_ssl, but as with mod_rpaf, usage of this directive together with mod_ssl defeats the whole purpose and so is not recommended.

RemoteHTTPSEnableProto

Meaningful only when RemoteProtoHeader is specified, this designates value to check protocol header for to make it like HTTPS is enabled. Defaults to https, but can be changed i.e. to on to comply with some balancer header variants (like X-HTTPS: on).

RemoteAllowOnlyInternalProxies

This option is a flag and disabled by default. Enabling it will return HTTP Forbidden to requests coming directly from any hosts that are not designated as mod_remoteip internal proxy. This can be turned on to ensure nothing except internal proxies gets access to your backend servers.

Please note that all the header options are considered only for mod_remoteip internal proxies connecting directly. If the directly connecting host is not designated as internal proxy for mod_remoteip, headers specified in these directives and their values will be ignored (these cannot be trusted from anywhere except last internal proxy connecting directly, and if any propagation is needed it usually can be easily done in the proxies chain).

Example:

RemoteIPInternalProxyList /etc/httpd/balancer.list
RemoteIPHeader X-Forwarded-For

RemoteHostHeader X-Forwarded-Host
RemotePortHeader X-Forwarded-Port
RemoteProtoHeader X-Forwarded-Proto
RequestHeader unset X-Forwarded-Host
RequestHeader unset X-Forwarded-Port
RequestHeader unset X-Forwarded-Proto

Search

Recent Posts

November 2019
Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
 << <   > >>

XML Feeds