lighttpd 1.4.x
https://www.lighttpd.net/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
105 lines
2.9 KiB
105 lines
2.9 KiB
============== |
|
mod_extforward |
|
============== |
|
|
|
.. contents:: |
|
|
|
Overview |
|
======== |
|
|
|
Comman Kang <comman.kang at gmail.com> sent me: :: |
|
|
|
Hello jan. |
|
|
|
I've made something rough but similar to mod_extract_forwarded for |
|
Apache. This module will extract the client's "real" ip from |
|
X-Forwarded-For header which is added by squid or other proxies. It might be |
|
useful for servers behind reverse proxy servers. |
|
|
|
However, this module is causing segfault with mod_ssl or |
|
$HTTP{''socket"} directive, crashing in config_check_cond while patching |
|
connection , I do not understand architecture of the lighttpd well, does it |
|
need to call patch_connection in either handle_request_done and |
|
connection_reset ? |
|
|
|
Lionel Elie Mamane <lionel@mamane.lu> improved the patch: :: |
|
|
|
I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've |
|
extended it. Here is the result. |
|
|
|
Major changes: |
|
|
|
- IPv6 support |
|
|
|
- Fixed at least one segfault with SERVER['socket'] |
|
|
|
- Arrange things so that a url.access-deny under scope of a |
|
HTTP['remoteip'] condition works well :) |
|
|
|
I've commented the code in some places, mostly where I wasn't sure |
|
what was going on, or I didn't see what the original author meant to |
|
do. |
|
|
|
Options |
|
======= |
|
|
|
extforward.forwarder |
|
Sets trust level of proxy IP's. |
|
|
|
Default: empty |
|
|
|
Example: :: |
|
|
|
extforward.forwarder = ("10.0.0.232" => "trust") |
|
|
|
will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from "X-Forwarded-For" or "Forwarded-For" HTTP request header. |
|
|
|
extforward.headers |
|
Sets headers to search for finding the originl addresses. |
|
|
|
Example (for use with a Zeus ZXTM loadbalancer): :: |
|
|
|
extforward.headers = ("X-Cluster-Client-Ip") |
|
|
|
Default: empty, results in searching for "X-Forwarded-For" and "Forwarded-For" |
|
|
|
Note |
|
======= |
|
|
|
The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions. |
|
Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. |
|
Things done in between these two moments will match on the real client's IP. |
|
The moment things are done by a module depends on in which hook it does things and within the same hook |
|
on whether they are before/after us in the module loading order |
|
(order in the server.modules directive in the config file). |
|
|
|
Tested behaviours: |
|
|
|
mod_access: Will match on the real client. |
|
|
|
mod_accesslog: |
|
In order to see the "real" ip address in access log , |
|
you'll have to load mod_extforward after mod_accesslog. |
|
like this: :: |
|
|
|
server.modules = ( |
|
..... |
|
mod_accesslog, |
|
mod_extforward |
|
) |
|
|
|
Samples |
|
======= |
|
|
|
Trust proxy 10.0.0.232 and 10.0.0.232 :: |
|
|
|
extforward.forwarder = ( |
|
"10.0.0.232" => "trust", |
|
"10.0.0.233" => "trust", |
|
) |
|
|
|
Trust all proxies (NOT RECOMMENDED!) :: |
|
|
|
extforward.forwarder = ( "all" => "trust") |
|
|
|
Note that "all" has precedence over specific entries, so "all except" setups will not work.
|
|
|