Project

General

Profile

Mod extforward » History » Revision 20

Revision 19 (glen, 2009-04-27 09:13) → Revision 20/36 (glen, 2012-08-11 10:42)

h1. mod_extforward 

 {{>toc}} 

 *Module: mod_extforward* 

 h2. Description 

 This module will extract the client's "real" IP from X-Forwarded-For header which is added by Squid or other proxies. It might be useful for servers behind reverse proxy servers. 

 h2. Options 

 extforward.headers 
 Sets headers to search for finding the originl addresses. 
 Default: empty, results in searching for "X-Forwarded-For" and "Forwarded-For" 

 *Example (for use with a Zeus ZXTM loadbalancer)*: 
 <pre> 
     extforward.headers = ("X-Cluster-Client-Ip") 
 </pre> 

 extforward.forwarder 
 Sets trust level of proxy IP's. 
 Default: empty 

 *Example of usage*: 
 <pre> 
     extforward.forwarder = ("10.0.0.232" => "trust") 
 </pre> 

 will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from X-Forwarded-For: HTTP request header. 

 *Important note*: 

 The effect of this module is variable on $HTTP["remoteip"] directives and other module's remote ip dependent actions. 
 Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. 
 Things done in between these two moments will match on the real client's IP. 
 The moment things are done by a module depends on in which hook it does things and within the same hook 
 on whether they are before/after us in the module loading order 
 (order in the server.modules directive in the config file). 

 Tested behaviours: 


 mod_access: Will match on the real client. 

 mod_accesslog: In order to see the "real" ip address in access log, you'll have to load mod_extforward after mod_accesslog, like this: 

 <pre> 
     server.modules    = ( 
        ..... 
        "mod_accesslog", 
        "mod_extforward" 
     ) 
 </pre> 

 h2. Samples 


 Trust proxy 10.0.0.232 and 10.0.0.233 

 <pre> 

   extforward.forwarder = ( 
      "10.0.0.232" => "trust", 
      "10.0.0.233" => "trust" 
   ) 
 </pre> 

 Trust all proxies (NOT RECOMMENDED!) 

 <pre> 
   extforward.forwarder = ( "all" => "trust") 
 </pre> 

 Note that "all" has precedence over specific entries, so "all except" setups will not work. 

 h2. Installation 

 mod_extforward is included in lighttpd 1.4.14 and later, 

 h2. Changes related to mod_extforward 

 * 1.4.23: Bug #1545: Make mod_extforward headers configurable 
 * 1.4.19: Bug #1499: HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. 
 * 1.4.19: Bug #1528: support chained proxies in mod_extforward 
 * 1.4.14: r1665: added mod_extforward