Project

General

Profile

Feature #2860

RFE: mod_extforward CIDR support

Added by glen 23 days ago. Updated 22 days ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
mod_extforward
Target version:
Start date:
2018-01-31
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

lighttpd does not support adding whole networks as extforwarder.

tried variants:

$HTTP["remoteip"] == "192.168.24.0/24" {
    extforward.forwarder = ( "all" => "trust" )
}
extforward.forwarder = (
    "192.168.24.0" => "trust",
)
extforward.forwarder = (
    "192.168.24.0/24" => "trust",
)

the second problem (or part of the problem) is that chained trust (no longer?) works:

$HTTP["remoteip"] == "192.168.24.0/24" {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("X-Real-IP","X-Forwarded-For")
}

For this additional row must be added to haproxy:

http-request set-header X-Real-IP %[src]

the problem was that there were multiple IP-s in the x-forwarded-for header and it seems lighty was able to trust only one of internal ip.

if the lighttpd is reached via multiple trusted proxies, those need all be trusted and X-Forwarded-For walked until first untrusted ip is found.

History

#1

Updated by gstrauss 22 days ago

  • Subject changed from missing proper extforward cidr support to RFE: mod_extforward CIDR support
  • Priority changed from Normal to Low

No, mod_extforward does not have CIDR support.

mod_extforward has support for haproxy PROXY protocol.
See #2804 and Docs_ModExtForward extforward.hap-PROXY and extforward.hap-PROXY-ssl-client-verify

#2

Updated by glen 22 days ago

gstrauss wrote:

No, mod_extforward does not have CIDR support.

mod_extforward has support for haproxy PROXY protocol.
See #2804 and Docs_ModExtForward extforward.hap-PROXY and extforward.hap-PROXY-ssl-client-verify

sadly that does not satisfy me, because i have varnish as lighttpd upstream for http connections and varnish+haproxy for https connections. so lighttpd is contacted via varnish only

also, even when using haproxy PROXY, the extforward.forwarder still doesn't support CIDR:

Also, note that when extforward.hap-PROXY = "enable", mod_extforward will process HAProxy PROXY protocol requests only for trusted proxies configured in extforward.forwarder.

Also available in: Atom