On Thu, 25 Sep 2003, Haroon Rafique wrote:
> Date: Thu, 25 Sep 2003 16:15:53 -0400 (EDT)
> From: Haroon Rafique <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Off Topic: mod_perl reverse proxy setup and extracting client's
> original IP
>
> Hi,
>
> I have a slightly off topic inquiry. I've googled/RTFMed. I run mod_perl
> in a reverse proxy setup. Light apache in the front-end, heavy mod_perl
> apache in the back-end both running on the same machine.
>
> The front end has the following reverse proxy directives:
>
> ProxyPass /perl/ http://localhost:8103/perl/
> ProxyPassReverse /perl/ http://localhost:8103/perl/
You might also want to enbale "ProxyPreserveHost" directive, so that
your backend server can handle virtual servers as well.
Regards,
Jie
> Due to the reverse proxy setup, the original client IP is lost and all IP
> is reported as 127.0.0.1 (front-end). To extract the client's original IP
> I was happy to learn that mod_proxy conveniently adds a X-Forwarded-For
> header to the proxied requests automatically. On the back-end, I use:
>
> PerlPostReadRequestHandler My::ProxyRemoteAddr
>
> where My::ProxyRemoteAddr has code identical to
> http://perl.apache.org/docs/1.0/guide/scenario.html#Usage
> except for some minor mp2 migrations.
>
> sub My::ProxyRemoteAddr ($) {
> my $r = shift;
>
> # we'll only look at the X-Forwarded-For header if the requests
> # comes from our proxy at localhost
> return Apache::OK
> unless
> ($r->connection->remote_ip =~
> m#^(127\.0\.0\.1|localhost\.localdomain)$#)
> and $r->header_in('X-Forwarded-For');
>
> # Select last value in the chain -- original client's ip
> if( my( $ip ) = $r->headers_in->{'X-Forwarded-For'} =~ /([^,\s]+)$/ )
> {
> $r->connection->remote_ip($ip);
> $r->log_error("Recorded client IP from X-Forwarded-For header: ",
> $r->headers_in->{'X-Forwarded-For'},
> " as IP: ", $ip);
> }
>
> return Apache::OK;
> }
>
> Everything is hunky dory. The back-end access_log have the client's IP
> address and the applications sees the correct address as well.
>
> Here's the twist:
>
> To secure the back-end, direct access to the back-end directly is
> prohibited. The back-end config has the following directive to only allow
> proxied requests to come through:
>
> <Location />
> order deny,allow
> deny from all
> allow from localhost 127.0.0.1
> </Location>
>
> If I keep this directive in the back-end config, the client's original IP
> never makes it to the access_log. The application does however get the
> correct IP address.
>
> apache 2.0.47
> mod_perl 1.99_09
> perl 5.8.0
>
> Anyone else experienced the same? Needless to say, I would like to keep
> the site secure, as well maintain the client's original IP in the
> logs.
>
> On second thought, this looks more and more like an apache issue.
> --
> Haroon Rafique
> <[EMAIL PROTECTED]>
>
