Project

General

Profile

Actions

Mod extforward » History » Revision 22

« Previous | Revision 22/36 (diff) | Next »
gstrauss, 2017-04-09 17:59


mod_extforward

Module: mod_extforward

Description

This module will extract the client's "real" IP from Forwarded or X-Forwarded-For header which is added by Squid or other proxies. It might be useful for servers behind reverse proxy servers.

Options

  • extforward.headers
    Sets headers to search for finding the original addresses.

    Default: empty, results in searching for "X-Forwarded-For" and "Forwarded-For"

    Example (for use with a Zeus ZXTM loadbalancer):

    extforward.headers = ("X-Cluster-Client-Ip")

    Since lighttpd 1.4.46, mod_extforward supports "Forwarded" (RFC7239). Since the header is spoofable through proxies which do not understand "Forwarded", this is not enabled by default and must be configured e.g. with extforward.headers = ("Forwarded", "X-Forwarded-For")

  • extforward.forwarder
    Sets trust level of proxy IP's.

    Default: empty

    Example of usage:

    extforward.forwarder = ("10.0.0.232" => "trust")  

    will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from X-Forwarded-For (or whatever is specified in extforward.headers) HTTP request header.

    Important note:

    The effect of this module is variable on $HTTP["remoteip"] directives and other module's remote ip dependent actions.
    Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
    Things done in between these two moments will match on the real client's IP.
    The moment things are done by a module depends on in which hook it does things and within the same hook
    on whether they are before/after us in the module loading order
    (order in the server.modules directive in the config file).

Tested behaviours:

mod_access: Will match on the real client.

mod_accesslog: In order to see the "real" ip address in access log, you'll have to load mod_extforward after mod_accesslog, like this:

    server.modules  = (
       .....
       "mod_accesslog",
       "mod_extforward" 
    )
  • extforward.params (since 1.4.46)
    When processing "Forwarded" request header, extforward.params sets which values to propagate. "for" and "proto" are always enabled (not configurable) to maintain the existing behavior in mod_extforward. See also Docs_ModProxy for proxy.forwarded.
        extforward.params = ( #"host" => 1,        # overwrite "Host" with Forwarded value
                              #"remote_user" => 1, # set REMOTE_USER with Forwarded value
        )
    

Samples

Trust proxy 10.0.0.232 and 10.0.0.233

  extforward.forwarder = (
     "10.0.0.232" => "trust",
     "10.0.0.233" => "trust" 
  )

Trust all proxies (NOT RECOMMENDED!)

  extforward.forwarder = ( "all" => "trust")

Note that "all" has precedence over specific entries, so "all except" setups will not work.

Using $HTTP["scheme"] rules

If you are running lighttpd behind a reverse proxy (such as haproxy) to provide HTTPS termination, you may want to configure lighttpd rules which act on $HTTP["scheme"] == "https" etc
As of lighttpd 1.4.40, mod_extforward is able to detect the scheme from the front proxy, allowing you to use scheme based conditional rules in lighttpd.conf

In order to do this, extforward.headers MUST be set (and match a corresponding HTTP request header), as well as the proxy being "trusted" via extforward.forwarder

Updated by gstrauss almost 7 years ago · 22 revisions