Re: Shouldn't ap_get_remote_host use req->useragent_addr?
On Thu, Feb 11, 2016 at 10:14 AM, William A Rowe Jr wrote: > On Thu, Jan 7, 2016 at 9:06 AM, Eric Covener wrote: > >> On Thu, Jan 7, 2016 at 9:25 AM, Jan Kaluža wrote: >> > When httpd is running behind a reverse proxy and mod_remoteip is >> configured, >> > the correct client IP is logged (using %a in the LogFormat), but the >> proxy >> > IP is used by 'Require host .mydomain.net'. I would expect the host >> based on >> > IP provided by mod_remoteip to be used here. >> > >> > Is this expected behaviour? Maybe the ap_get_remote_host method should >> use >> > req->useragent_addr instead of conn->client_addr to obtain the >> REMOTE_HOST. >> >> what about "Require ip ..."? >> > > I agree that require host should track to the same entity as the require > ip, > which means the behavior right now is incorrect. > > There could be a Require conn-ip / conn-host that looks "around" the > request > based user agent down to the connection level user agent (proxy) address. > > But this mismatch is unnecessarily confusing, and what the original > remoteip > module was meant to avoid. > This is already tracked as https://bz.apache.org/bugzilla/show_bug.cgi?id=55348 - another side effect of the same issue.
Re: Shouldn't ap_get_remote_host use req->useragent_addr?
On Thu, Jan 7, 2016 at 9:06 AM, Eric Covener wrote: > On Thu, Jan 7, 2016 at 9:25 AM, Jan Kaluža wrote: > > When httpd is running behind a reverse proxy and mod_remoteip is > configured, > > the correct client IP is logged (using %a in the LogFormat), but the > proxy > > IP is used by 'Require host .mydomain.net'. I would expect the host > based on > > IP provided by mod_remoteip to be used here. > > > > Is this expected behaviour? Maybe the ap_get_remote_host method should > use > > req->useragent_addr instead of conn->client_addr to obtain the > REMOTE_HOST. > > what about "Require ip ..."? > I agree that require host should track to the same entity as the require ip, which means the behavior right now is incorrect. There could be a Require conn-ip / conn-host that looks "around" the request based user agent down to the connection level user agent (proxy) address. But this mismatch is unnecessarily confusing, and what the original remoteip module was meant to avoid.
Re: Shouldn't ap_get_remote_host use req->useragent_addr?
On 8 January 2016 06:23:15 GMT, "Jan Kaluža" wrote: >On 01/07/2016 04:06 PM, Eric Covener wrote: >> >>> Is this expected behaviour? Maybe the ap_get_remote_host method >should use >>> req->useragent_addr instead of conn->client_addr to obtain the >REMOTE_HOST. >> >> what about "Require ip ..."? “ip” is a minimal and doesn't explain much. How about, maybe: Require remote-ip-host 192.0.2.42/30? I'm assuming that this would succeed if the TCP peer is in the specified range OR if mod_remoteip makes a similar declaration. -- Tim Bannister – is...@c8h10n4o2.org.uk
Re: Shouldn't ap_get_remote_host use req->useragent_addr?
On 01/07/2016 04:06 PM, Eric Covener wrote: On Thu, Jan 7, 2016 at 9:25 AM, Jan Kaluža wrote: When httpd is running behind a reverse proxy and mod_remoteip is configured, the correct client IP is logged (using %a in the LogFormat), but the proxy IP is used by 'Require host .mydomain.net'. I would expect the host based on IP provided by mod_remoteip to be used here. Is this expected behaviour? Maybe the ap_get_remote_host method should use req->useragent_addr instead of conn->client_addr to obtain the REMOTE_HOST. what about "Require ip ..."? This would work, but we should clarify that in documentation then, because both "Require ip" and "Require host" use term "remote client" in their description, but for "Require ip", mod_remoteip is respected, while for "Require host", the mod_remoteip is not respected. I think this is really confusing. Regards, Jan Kaluza
Shouldn't ap_get_remote_host use req->useragent_addr?
Hi, When httpd is running behind a reverse proxy and mod_remoteip is configured, the correct client IP is logged (using %a in the LogFormat), but the proxy IP is used by 'Require host .mydomain.net'. I would expect the host based on IP provided by mod_remoteip to be used here. Is this expected behaviour? Maybe the ap_get_remote_host method should use req->useragent_addr instead of conn->client_addr to obtain the REMOTE_HOST. Or we could introduce new env variable and new auth_provider to work with real remote_host of the client even when it is behind the proxy. Regards, Jan Kaluza
