Perhaps you're right but it really does what I want - at least on test . I did svn from trunk, complied this module and installed on latest 2.4.29. In my env we've got haproxy (pass-through) on the front side and then apaches terminating SSL. There is a need to record real IP address when client requests site. I was able to read this IP using mod_proxy_protocol but there was one downside of it - Proxy mode was enabled for entire virtual host without blacklisting e.g. local flow. Just a few days ago I was reading apache docs and accidentally switch to 2.5 page and found these two options:
RemoteIPProxyProtocol On RemoteIPProxyProtocolExceptions 127.0.0.1 192.168.93.0/24 there was one mark saying - these are available in 2.4 starting from 2.4.28 (afair) but... ended up with what you suggested and seems like got what I wanted. Does this make more sense ? Thx Marcin Od: "William A Rowe Jr" <wr...@rowe-clan.net> Do: "dev" <dev@httpd.apache.org> Wysłane: piątek, 12 styczeń 2018 19:11:42 Temat: Re: remoteip module - extended support in 2.4 branch You are confusing functionality. the remoteip evaluation happens after the proxy protocol endpoints are identified. PROXY is a connection-oriented change of the apparent request origin. The remoteip behavior is a request-oriented change of the apparent origin, and it can vary from request to request on the same connection. Right now there is a proxy-specific blacklist to not expect nor process PROXY headers from specific client IPs/subnets, this directive has no effect on remoteip's trust list. Next, we anticipate a proxy-specific whitelist to enable processing of PROXY headers only from specific client IPs/subnets. It would still be followed by the blacklist exclusions. The net result is a binary decision of whether PROXY header is or is not expected, and therefore required. There was once an 'optional' behavior, but we noted the ambiguity would lead to security concerns. After the PROXY handling is complete, remoteip can further intervene, request-by-request. On Thu, Jan 11, 2018 at 10:56 PM, Marcin Giedz <marcin.gi...@arise.pl> wrote: > Thx William, good to hear there are no API changes and module from trunk > should fit to 2.4 . The most important feature for me is actually one > disabling PROXY mode for particular IPs - something I can not achieve with > proxy_protocol external module > > M. > > ________________________________ > Od: "William A Rowe Jr" <wr...@rowe-clan.net> > Do: "dev" <dev@httpd.apache.org> > Wysłane: piątek, 12 styczeń 2018 0:11:19 > Temat: Re: remoteip module - extended support in 2.4 branch > > Marcin, > > There are no required API changes; you should be able to drop in the trunk > version of mod_remoteip.c and it should just compiler. Or you can compile > the trunk module with apxs -c > > There is one agreed/anticipated change, to enable PROXY protocol on a remote > client IP basis (e.g. enable for proxy machines' IPs but not for other local > traffic.) That should be the primary delta between what is in trunk and what > will ship in 2.4. > > Other questions such as splitting this off into a mod_proxy_protocol module > are up in the air, and shouldn't affect the module behavior. > > > On Jan 11, 2018 10:33 AM, "Marcin Giedz" <marcin.gi...@arise.pl> wrote: > > is there any timeline for this ? or I should build httpd myself from trunk ? > > ________________________________ > Od: "Eric Covener" <cove...@gmail.com> > Do: "dev" <dev@httpd.apache.org> > Wysłane: czwartek, 11 styczeń 2018 15:20:56 > Temat: Re: remoteip module - extended support in 2.4 branch > > On Thu, Jan 11, 2018 at 9:10 AM, Marcin Giedz <marcin.gi...@arise.pl> wrote: >> Hi there,sent the same question to users list but seems like dev is rather >> better place. >> >> In trunk version remoteip has been extended with some PROXY protocol >> support. Are there any chances these changes will be backported to 2.4 >> branch ? > > There are chances, but there is some disagreement over how/where (part > of remoteip or not is one dimension of it) > > >