Bug report for Apache httpd-2 [2017/02/05]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 8713|Inf|Min|2002-05-01|No Errorlog on PROPFIND/Depth:Infinity| | 8867|Opn|Cri|2002-05-07|exports.c generation fails when using a symlink to| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |11294|New|Enh|2002-07-30|desired vhost_alias option| |11580|Opn|Enh|2002-08-09|generate Content-Location headers | |12033|Opn|Nor|2002-08-26|Graceful restart immediately result in [warn] long| |13599|Inf|Nor|2002-10-14|autoindex formating broken for multibyte sequences| |13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation | |14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR| |14496|New|Enh|2002-11-13|Cannot upgrade any version on Windows. Must uninst| |14922|Inf|Enh|2002-11-28| is currently hardcoded to 'apache2' | |15719|Inf|Nor|2002-12-30|WebDAV MOVE to destination URI which is content-ne| |16761|Inf|Nor|2003-02-04|CustomLog with pipe spawns process during config | |16811|Ass|Maj|2003-02-05|mod_autoindex always return webpages in UTF-8.| |17107|New|Min|2003-02-16|Windows should not install printenv | |17114|New|Enh|2003-02-17|Please add strip and install-strip targets to Make| |17244|Ass|Nor|2003-02-20|./configure --help gives false information regardi| |17497|Opn|Nor|2003-02-27|mod_mime_magic generates incorrect response header| |18325|New|Enh|2003-03-25|PAM support for suEXEC| |18334|Inf|Cri|2003-03-25|Server crashes when authenticating users against L| |19670|New|Enh|2003-05-05|content type header supplied upon PUT is thrown aw| |20036|Ass|Nor|2003-05-19|Trailing Dots stripped from PATH_INFO environment | |21260|New|Nor|2003-07-02|CacheMaxExpire directive not enforced ! | |21533|Ass|Cri|2003-07-11|Multiple levels of htacces files can cause mod_aut| |22484|Opn|Maj|2003-08-16|semaphore problem takes httpd down| |22686|Opn|Nor|2003-08-25|ab: apr_poll: The timeout specified has expired (7| |22898|Opn|Nor|2003-09-02|nph scripts with two HTTP header | |23167|Inf|Cri|2003-09-14|--enable-layout never goes to apr apr-util| |23181|New|Nor|2003-09-15|Status 304 (Not modified) and chunking leads to an| |23238|New|Cri|2003-09-18|non-async-signal-safe operations from signal handl| |23330|New|Enh|2003-09-22|Enhance ApacheMonitor to view and control Tomcat s| |23911|Opn|Cri|2003-10-18|CGI processes left defunct/zombie under 2.0.54| |24031|New|Enh|2003-10-23|Passphrase protected private key in SSLProxyMachin| |24095|Opn|Cri|2003-10-24|ERROR "Parent: child process exited with status 32| |24437|Opn|Nor|2003-11-05|mod_auth_ldap doubly-escapes backslash (\) charact| |24890|Opn|Nor|2003-11-21|Apache config parser should not be local aware ( g| |25014|New|Enh|2003-11-26|A flexible interface for mod_log_config | |25201|New|Enh|2003-12-04|Provide Cache Purge operation | |25240|Inf|Enh|2003-12-05|SSL Library Error: 336105671 logged as information| |25435|New|Enh|2003-12-11|sethandler and directoryindex not playing nice| |25469|Opn|Enh|2003-12-12|create AuthRoot for defining paths to auth files | |25484|Ass|Nor|2003-12-12|Non-service Apache cannot be stopped in WinXP | |25543|Inf|Nor|2003-12-15|mod_proxy_ajp overwrites existing response headers| |25667|New|Nor|2003-12-19|Memory leak in function ssl_scache_dbm_retrieve().| |25863|New|Enh|2004-01-02|new per-host initialization hooks | |26005|New|Nor|2004-01-08|SERVER_NAME incorrect when using IPv6 address in U| |26142|New|Maj|2004-01-14|EnableSendFile Off for Windows XP Home| |26153|Opn|Cri|2004-01-15|Apache cygwin directory traversal vulnerability | |26368|New|Min|2004-01-23|File extensions in AddDescription treated as part | |26446|New|Nor|2004-01-26|flush buckets followed by eos bucket emit multiple| |26478|New|Enh|2004-01-28|mod_dav does not expose a method for setting the D|
Re: svn commit: r1776575 - in /httpd/httpd/trunk: docs/log-message-tags/next-number docs/manual/mod/mod_remoteip.xml modules/metadata/mod_remoteip.c
I'm not sure if my mail client mangled the message or my email provider
did, but I couldn't read this except from lists.a.o so my reply may
appear as a new thread in your email client if it's following thread IDs.
Christophe JAILLET wrote:
> First of all, http://blog.haproxy.com/haproxy/proxy-protocol/ list
> another module implementation for Apache:
> https://github.com/ggrandes/apache24-modules/blob/master/mod_myfixip.c
>
> If anyone wants to give it a look.
>
>
>
> Anyway, a few minor comments below.
>
> CJ
>
>
> Le 30/12/2016 à 15:20, drugg...@apache.org a écrit :
>> Author: druggeri
>> Date: Fri Dec 30 14:20:48 2016
>> New Revision: 1776575
>>
>> URL:http://svn.apache.org/viewvc?rev=1776575=rev
>> Log:
>> Merge new PROXY protocol code into mod_remoteip
>>
>> Modified:
>> httpd/httpd/trunk/docs/log-message-tags/next-number
>> httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
>> httpd/httpd/trunk/modules/metadata/mod_remoteip.c
>>
>> Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
>> URL:http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1776575=1776574=1776575=diff
>> ==
>> --- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
>> +++ httpd/httpd/trunk/docs/log-message-tags/next-number Fri Dec 30 14:20:48
>> 2016
>> @@ -1 +1 @@
>> -3491
>> +3514
>>
>> Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
>> URL:http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml?rev=1776575=1776574=1776575=diff
>> ==
>> --- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml (original)
>> +++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml Fri Dec 30 14:20:48
>> 2016
>> @@ -42,6 +42,12 @@ via the request headers.
>> with the useragent IP address reported in the request header configured
>> with the RemoteIPHeader
>> directive.
>>
>> +Additionally, this module implements the server side of
>> +HAProxy's
>> +http://blog.haproxy.com/haproxy/proxy-protocol/;>Proxy
>> Protocol when
>> +using the > module="mod_remoteip">RemoteIPProxyProtocolEnable
>> +directive.
>> +
>> Once replaced as instructed, this overridden useragent IP address is
>> then used for the mod_authz_host
>> Require
>> ip
>> @@ -59,6 +65,7 @@ via the request headers.
>> mod_authz_host
>> mod_status
>> mod_log_config
>> +> href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt;>Proxy
>> Protocol Spec
>>
>> Remote IP Processing
>>
>> @@ -214,6 +221,70 @@ RemoteIPProxiesHeader X-Forwarded-By
>>
>>
>>
>> +
>> +RemoteIPProxyProtocol
> s/RemoteIPProxyProtocol/RemoteIPProxyProtocolEnable/
Right - this was addressed in a subsequent commit after discussing the
name. It's now RemoteIPProxyProtocol
>
>> +Enable, optionally enable or disable the proxy protocol
>> handling
>> +ProxyProtocol On|Optional|Off
>> +server configvirtual host
>> +
> Compatibility note missing.
Added - thanks!
>
>>
>>
>> Modified: httpd/httpd/trunk/modules/metadata/mod_remoteip.c
>> URL:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_remoteip.c?rev=1776575=1776574=1776575=diff
>> ==
>> --- httpd/httpd/trunk/modules/metadata/mod_remoteip.c (original)
>> +++ httpd/httpd/trunk/modules/metadata/mod_remoteip.c Fri Dec 30 14:20:48
>> 2016
>> @@ -12,15 +12,20 @@
>>* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>>* See the License for the specific language governing permissions and
>>* limitations under the License.
>> + *
>> + * The majority of the input filter code for PROXY protocol support is
>> + * Copyright 2014 Cloudzilla Inc.
>>*/
>>
>> #include "ap_config.h"
>> #include "ap_mmn.h"
>> +#include "ap_listen.h"
>> #include "httpd.h"
>> #include "http_config.h"
>> #include "http_connection.h"
>> #include "http_protocol.h"
>> #include "http_log.h"
>> +#include "http_main.h"
>> #include "apr_strings.h"
>> #include "apr_lib.h"
>> #define APR_WANT_BYTEFUNC
>> @@ -36,6 +41,12 @@ typedef struct {
>> void *internal;
>> } remoteip_proxymatch_t;
>>
>> +typedef struct remoteip_addr_info {
>> +struct remoteip_addr_info *next;
>> +apr_sockaddr_t *addr;
>> +server_rec *source;
>> +} remoteip_addr_info;
>> +
>> typedef struct {
>> /** The header to retrieve a proxy-via IP list */
>> const char *header_name;
>> @@ -48,6 +59,17 @@ typedef struct {
>>* with the most commonly encountered listed first
>>*/
>> apr_array_header_t *proxymatch_ip;
>> +
>> +remoteip_addr_info *proxy_protocol_enabled;
>> +remoteip_addr_info *proxy_protocol_optional;
>> +remoteip_addr_info *proxy_protocol_disabled;
>> +
>> +/** A flag
Re: AW: svn commit: r1776575 - in /httpd/httpd/trunk: docs/log-message-tags/next-number docs/manual/mod/mod_remoteip.xml modules/metadata/mod_remoteip.c
On 1/30/2017 4:45 AM, Ruediger Pluem wrote: > Thinking of all the above it might be best if you read in mode > AP_MODE_SPECULATIVE on your own from upstream until > you have MIN_HDR_LEN data. If the PROXY header is present, read MIN_HDR_LEN > in AP_MODE_READBYTES to finally consume the > data and move on. If the PROXY header is not present, well then just forward > the original request and you are fine. > This way you leave all the hassle to the upstream filters. Yes, definitely. I was contemplating the same thing given the permutations of modes it may be called in and the various cases to deal with. That's the approach I've taken in the latest commit because the hassle is definitely best left to upstream :-) At a high level, it no longer stores the data to pass along. When optional processing is enabled, the filter starts in speculative read mode. Once MIN_HDR_LEN is read and we know if a header is there or not we can discard ctx->bb, reinitialize ctx and move to READBYTES mode. -- Daniel Ruggeri
