Project

General

Profile

Mod extforward » History » Revision 17

Revision 16 (weakish, 2008-12-21 11:56) → Revision 17/36 (glen, 2009-02-02 10:57)

h1. mod_extforward 

 h2. Overview 


 *Attention:* currently in 1.4.17 / 1.4.16 / 1.4.15 and maybe earlier versions mod_extforward breaks (at least) url-matching like described in bug #1164 . That page also mentions a patch that fixes the problem (at the bottom). 


 Comman Kang <comman.kang at gmail.com> sent me: 


 <pre> 
   Hello jan. 

        I've made something rough but similar to mod_extract_forwarded for 
   Apache.    This module will extract the client's "real" ip from 
   X-Forwarded-For header which is added by squid or other proxies. It might be 
   useful for servers behind reverse proxy servers. 

        However, this module is causing segfault with mod_ssl or 
   $HTTP{''socket"} directive,    crashing in config_check_cond while patching 
   connection ,    I do not understand architecture of the lighttpd well, does it 
   need to call patch_connection in either handle_request_done and 
   connection_reset ? 
 </pre> 

 Lionel Elie Mamane <lionel@mamane.lu> improved the patch: :: 

 <pre> 
     I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've 
   extended it. Here is the result. 

   Major changes: 

    - IPv6 support 

    - Fixed at least one segfault with SERVER['socket'] 

    - Arrange things so that a url.access-deny under scope of a 
      HTTP['remoteip'] condition works well :) 

   I've commented the code in some places, mostly where I wasn't sure 
   what was going on, or I didn't see what the original author meant to 
   do. 
 </pre> 

 h2. Options 


 extforward.forwarder 
   Sets trust level of proxy IP's. 

   Default: empty 

   Example: :: 
    
     extforward.forwarder = ("10.0.0.232" => "trust") 

   will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from X-Forwarded-For: HTTP request header. 

 h2. Note 


 The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions. 
 Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. 
 Things done in between these two moments will match on the real client's IP. 
 The moment things are done by a module depends on in which hook it does things and within the same hook 
 on whether they are before/after us in the module loading order 
 (order in the server.modules directive in the config file). 

 Tested behaviours: 


 mod_access: Will match on the real client. 

 mod_accesslog: In order to see the "real" ip address in access log, you'll have to load mod_extforward after mod_accesslog, like this: 

 <pre> 
     server.modules    = ( 
        ..... 
        "mod_accesslog", 
        "mod_extforward" 
     ) 
 </pre> 

 h2. Samples 


 Trust proxy 10.0.0.232 and 10.0.0.233 

 <pre> 

   extforward.forwarder = ( 
      "10.0.0.232" => "trust", 
      "10.0.0.233" => "trust" 
   ) 
 </pre> 

 Trust all proxies (NOT RECOMMENDED!) 

 <pre> 
   extforward.forwarder = ( "all" => "trust") 
 </pre> 

 Note that "all" has precedence over specific entries, so "all except" setups will not work. 

 


 h2. Installation 

 


 mod_extforward is included in lighttpd 1.4.14 and later, 

 h2. Changes related 
 the instructions below apply to mod_extforward 1.4.13: 

 * 1.4.19: Bug #1499: HTTPS env var should be "on" when using mod_extforward You need a current source-tree of lighttpd 1.4.13 and have to apply the X-Forwarded-Proto header is set. patch: 

   $ gzip -cd lighttpd-1.4.13.tar.gz  
   $ cd lighttpd-1.4.13 
   $ patch -ls -p1 -i ../lighttpd-1.4.11-mod-ext-forward-v2.path 
   $ autoreconf 
   $ ./configure ... 
   $ make  
   $ sudo make install 



 here's my updated patch which applies to 1.4.13 tarball -glen 
 * 1.4.19: Bug #1528: support chained proxies in mod_extforward http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/lighttpd-mod_extforward-v2.patch 
 * 1.4.14: r1665: added mod_extforward