106 lines
2.9 KiB
Plaintext
106 lines
2.9 KiB
Plaintext
==============
|
|
mod_extforward
|
|
==============
|
|
|
|
.. contents::
|
|
|
|
Overview
|
|
========
|
|
|
|
Comman Kang <comman.kang at gmail.com> sent me: ::
|
|
|
|
Hello jan.
|
|
|
|
I've made something rough but similar to mod_extract_forwarded for
|
|
Apache. This module will extract the client's "real" ip from
|
|
X-Forwarded-For header which is added by squid or other proxies. It might be
|
|
useful for servers behind reverse proxy servers.
|
|
|
|
However, this module is causing segfault with mod_ssl or
|
|
$HTTP{''socket"} directive, crashing in config_check_cond while patching
|
|
connection , I do not understand architecture of the lighttpd well, does it
|
|
need to call patch_connection in either handle_request_done and
|
|
connection_reset ?
|
|
|
|
Lionel Elie Mamane <lionel@mamane.lu> improved the patch: ::
|
|
|
|
I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've
|
|
extended it. Here is the result.
|
|
|
|
Major changes:
|
|
|
|
- IPv6 support
|
|
|
|
- Fixed at least one segfault with SERVER['socket']
|
|
|
|
- Arrange things so that a url.access-deny under scope of a
|
|
HTTP['remoteip'] condition works well :)
|
|
|
|
I've commented the code in some places, mostly where I wasn't sure
|
|
what was going on, or I didn't see what the original author meant to
|
|
do.
|
|
|
|
Options
|
|
=======
|
|
|
|
extforward.forwarder
|
|
Sets trust level of proxy IP's.
|
|
|
|
Default: empty
|
|
|
|
Example: ::
|
|
|
|
extforward.forwarder = ("10.0.0.232" => "trust")
|
|
|
|
will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from "X-Forwarded-For" or "Forwarded-For" HTTP request header.
|
|
|
|
extforward.headers
|
|
Sets headers to search for finding the originl addresses.
|
|
|
|
Example (for use with a Zeus ZXTM loadbalancer): ::
|
|
|
|
extforward.headers = ("X-Cluster-Client-Ip")
|
|
|
|
Default: empty, results in searching for "X-Forwarded-For" and "Forwarded-For"
|
|
|
|
Note
|
|
=======
|
|
|
|
The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions.
|
|
Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
|
|
Things done in between these two moments will match on the real client's IP.
|
|
The moment things are done by a module depends on in which hook it does things and within the same hook
|
|
on whether they are before/after us in the module loading order
|
|
(order in the server.modules directive in the config file).
|
|
|
|
Tested behaviours:
|
|
|
|
mod_access: Will match on the real client.
|
|
|
|
mod_accesslog:
|
|
In order to see the "real" ip address in access log ,
|
|
you'll have to load mod_extforward after mod_accesslog.
|
|
like this: ::
|
|
|
|
server.modules = (
|
|
.....
|
|
mod_accesslog,
|
|
mod_extforward
|
|
)
|
|
|
|
Samples
|
|
=======
|
|
|
|
Trust proxy 10.0.0.232 and 10.0.0.232 ::
|
|
|
|
extforward.forwarder = (
|
|
"10.0.0.232" => "trust",
|
|
"10.0.0.233" => "trust",
|
|
)
|
|
|
|
Trust all proxies (NOT RECOMMENDED!) ::
|
|
|
|
extforward.forwarder = ( "all" => "trust")
|
|
|
|
Note that "all" has precedence over specific entries, so "all except" setups will not work.
|