Re: [PATCH] tproxy2 patch to the apache 2.2.15

2010-08-03 Thread JeHo Park 
hello Daniel 
thanks your interest. 

- Original Message - 
From: "Daniel Ruggeri" 
To: 
Sent: Wednesday, August 04, 2010 9:11 AM
Subject: Re: [PATCH] tproxy2 patch to the apache 2.2.15


> On 8/3/2010 9:57 AM, JeHo Park wrote:
>> hello ~
>> it's my first mail to apache dev .. and i am beginner of the apache. :-)
>> Anyway ... recently, i wrote transparent proxy [tproxy2] patch to the
>> httpd-2.2.15
>> because i needed web proxy and needed to know the source address of
>> any client who try to connect to my web server
>> and after all, i tested the performance of my patched tproxy with
>> AVALANCHE 2900. if anyone ask me the performance result, i will send
>> it to him [the size of the test result pdf is big size]
>> *- here is the platform infomation this patch applied ---*
>> 1. OS
>> CentOS release 5.2 (Final)
>> 2. KERNEL
>> Linux version 2.6.18-194.el5-tproxy2 (r...@localhost.localdomain
>> )
>> (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46))
>> #10 SMP Wed May 26 17:35:19 KST 2010
>> 3. iptables
>> iptables-1.3.8 + tproxy2 supporting patch
>> *-- here is the usage of tproxy2 patched httpd configuration ---*
>> httpd.conf
>> 
>> ProxyTproxy On # On/Off flag
>> ProxyTPifaddr 192.168.200.1 # IP address of bridge interface br0.
>> example) br0 = eth0 + eth1 
>> 
>> i attach the kernel tproxy2 patch to the kernel
>> above[2.6.18-194.el5-tproxy2 ], httpd-2.2.15 tproxy2 patch and kernel
>> configuration for tproxy2
>> above all, i want to know my patch is available or not .. and want
>> feedback from anyone :-)
> 
> JeHo;
> Hi, can you help me understand what the usage case is for this patch?

as far as i know, there is another modules for IP transparency for example 
tproxy4 and X-Forwarded-For ...etc. but tproxy4 is only  available from kernel 
version 2.6.24 and above
X-Forwarded-For make the L3, L4 security box unavailable, 
because the main function of the x-Forwarded-for is to make the web server know 
client IP address,
we can't sure whether there are some another security box [L3, L4 ..firewall ]
between the proxy and web server, in this point, X-Forwarded-For make the 
security box unavailable. 

> What service or capability does it provide that is not currently available?
i just tested the patch in my local network. it worked right and i did 
performance test with the avalanche.
but i didn't test it in field .. and various network environment. so i hope so 
many people use, test this patch 



> --
> Daniel Ruggeri
>

Re: [PATCH] tproxy2 patch to the apache 2.2.15

2010-08-03 Thread Graham Dumpleton 
2010/8/4 Daniel Ruggeri :
> On 8/3/2010 9:57 AM, JeHo Park wrote:
>> hello ~
>> it's my first mail to apache dev .. and i am beginner of the apache. :-)
>> Anyway ... recently, i wrote transparent proxy [tproxy2] patch to the
>> httpd-2.2.15
>> because i needed web proxy and needed to know the source address of
>> any client who try to connect to my web server
>> and after all, i tested the performance of my patched tproxy with
>> AVALANCHE 2900. if anyone ask me the performance result, i will send
>> it to him [the size of the test result pdf is big size]
>> *- here is the platform infomation this patch applied ---*
>> 1. OS
>> CentOS release 5.2 (Final)
>> 2. KERNEL
>> Linux version 2.6.18-194.el5-tproxy2 (r...@localhost.localdomain
>> )
>> (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46))
>> #10 SMP Wed May 26 17:35:19 KST 2010
>> 3. iptables
>> iptables-1.3.8 + tproxy2 supporting patch
>> *-- here is the usage of tproxy2 patched httpd configuration ---*
>> httpd.conf
>> 
>> ProxyTproxy On # On/Off flag
>> ProxyTPifaddr 192.168.200.1 # IP address of bridge interface br0.
>> example) br0 = eth0 + eth1 
>> 
>> i attach the kernel tproxy2 patch to the kernel
>> above[2.6.18-194.el5-tproxy2 ], httpd-2.2.15 tproxy2 patch and kernel
>> configuration for tproxy2
>> above all, i want to know my patch is available or not .. and want
>> feedback from anyone :-)
>
> JeHo;
> Hi, can you help me understand what the usage case is for this patch?
> What service or capability does it provide that is not currently available?

In particular, how is X-Forwarded-For not going to provide the
information required.

http://en.wikipedia.org/wiki/X-Forwarded-For

Graham

Re: [PATCH] tproxy2 patch to the apache 2.2.15

2010-08-03 Thread Daniel Ruggeri 
On 8/3/2010 9:57 AM, JeHo Park wrote:
> hello ~
> it's my first mail to apache dev .. and i am beginner of the apache. :-)
> Anyway ... recently, i wrote transparent proxy [tproxy2] patch to the
> httpd-2.2.15
> because i needed web proxy and needed to know the source address of
> any client who try to connect to my web server
> and after all, i tested the performance of my patched tproxy with
> AVALANCHE 2900. if anyone ask me the performance result, i will send
> it to him [the size of the test result pdf is big size]
> *- here is the platform infomation this patch applied ---*
> 1. OS
> CentOS release 5.2 (Final)
> 2. KERNEL
> Linux version 2.6.18-194.el5-tproxy2 (r...@localhost.localdomain
> )
> (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46))
> #10 SMP Wed May 26 17:35:19 KST 2010
> 3. iptables
> iptables-1.3.8 + tproxy2 supporting patch
> *-- here is the usage of tproxy2 patched httpd configuration ---*
> httpd.conf
> 
> ProxyTproxy On # On/Off flag
> ProxyTPifaddr 192.168.200.1 # IP address of bridge interface br0.
> example) br0 = eth0 + eth1 
> 
> i attach the kernel tproxy2 patch to the kernel
> above[2.6.18-194.el5-tproxy2 ], httpd-2.2.15 tproxy2 patch and kernel
> configuration for tproxy2
> above all, i want to know my patch is available or not .. and want
> feedback from anyone :-)

JeHo;
Hi, can you help me understand what the usage case is for this patch?
What service or capability does it provide that is not currently available?
--
Daniel Ruggeri

Failing startup for vhost configuration problems

2010-08-03 Thread Dan Poirier 
I'd like to propose that in 2.3/2.4, we fail startup for any of the
virtual host misconfigurations for which behavior is undefined but right
now we only issue a warning.

E.g. no VirtualHosts matching a NameVirtualHost, overlapping
VirtualHosts, use of _default_ in NameVirtualHost, mixing * and non-*
ports in name-based virtual hosts.

The rationale is that these configurations are unsupported, the behavior
is undefined, and presumably they are the result of errors, so better to
make sure the admin corrects the error than to continue and probably not
behave as the admin expects.  

A new major version seems like a good time for a change like this.

Thoughts?

Dan