Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list
On Fri, May 08, 2020 at 03:15:23PM +0200, Antony Stone wrote: > On Friday 08 May 2020 at 15:00:07, Marc Haber wrote: > > On Fri, May 08, 2020 at 02:01:03PM +0200, Antony Stone wrote: > > > On Friday 08 May 2020 at 13:16:28, Marc Haber wrote: > > > > I have a vhost in a https-only IPv6-only setup and would like to make > > > > the web site hosted there reachable from the IPv4 Internet. > > > > > > Is the vhost capable of dealing with IPv4 queries if you can only manage > > > to get them to the machine? > > > > Yes, but I'd prefer having the setup IPv6 only. I only build IPv4 if > > absolutely necessary. > > To be honest I would have thought that "talking to a very large part of the > current Internet" is reasonably necessary :) I would do it differently in an infrastructure project, but this is my personal blog, somewhere between "engineering study" and "production". And I know of at least one ISP who has built the datacenter in a quite similiar way. Being reachable from the IPv4 internet is very well done with sniproxy, it's just apache making this unnecessarily complicated by offering two methods from the same module with the exception list backwards in one of those two. I was hoping that somebody would explain _why_ the haproxy protocol is implemented so differently from the http header method in the very same module, and maybe I have missed something in the docs. > Dual-stack I can quite understand, but attempting IPv6-only seems a bit too > far ahead of the game for my liking. > > > I'd rather take the approach of having a dedicated apache listener for > > the proxied requests than building more IPv4. > > Okay, I just thought I'd offer an alternative possible solution. The least evil solutions seems to look different for different people, although a solution inside apache would actually help the most. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list
On Friday 08 May 2020 at 15:00:07, Marc Haber wrote: > On Fri, May 08, 2020 at 02:01:03PM +0200, Antony Stone wrote: > > On Friday 08 May 2020 at 13:16:28, Marc Haber wrote: > > > I have a vhost in a https-only IPv6-only setup and would like to make > > > the web site hosted there reachable from the IPv4 Internet. > > > > Is the vhost capable of dealing with IPv4 queries if you can only manage > > to get them to the machine? > > Yes, but I'd prefer having the setup IPv6 only. I only build IPv4 if > absolutely necessary. To be honest I would have thought that "talking to a very large part of the current Internet" is reasonably necessary :) Dual-stack I can quite understand, but attempting IPv6-only seems a bit too far ahead of the game for my liking. > I'd rather take the approach of having a dedicated apache listener for > the proxied requests than building more IPv4. Okay, I just thought I'd offer an alternative possible solution. Regards, Antony. -- Ramdisk is not an installation procedure. Please reply to the list; please *don't* CC me. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list
On Fri, May 08, 2020 at 02:01:03PM +0200, Antony Stone wrote: > On Friday 08 May 2020 at 13:16:28, Marc Haber wrote: > > I have a vhost in a https-only IPv6-only setup and would like to make > > the web site hosted there reachable from the IPv4 Internet. > > Is the vhost capable of dealing with IPv4 queries if you can only manage to > get them to the machine? Yes, but I'd prefer having the setup IPv6 only. I only build IPv4 if absolutely necessary. I'd rather take the approach of having a dedicated apache listener for the proxied requests than building more IPv4. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list
On Friday 08 May 2020 at 13:16:28, Marc Haber wrote: > Hi, > > I have a vhost in a https-only IPv6-only setup and would like to make > the web site hosted there reachable from the IPv4 Internet. Is the vhost capable of dealing with IPv4 queries if you can only manage to get them to the machine? > On a dual-homed host, I have sniproxy that forwards requests coming in via > IPv4 over IPv6 depending on the SNI header. The web server is directly > reachable from the IPv6 Internet without proxy. How about a completely different approach - set up a VPN connection between your dual-homed host and the IPv6-only web server, to tunnel IPv4 requests and responses over an IPv6 link? Then you publish the real IPv6 address of the server as your DNS address, and the IPv4 address of the dual-homed host as the A address. The dual-homed host tunnels all requests (source and destination still both IPv4) to the vhost, and it routes all IPv4 traffic back across the VPN. No need for HTTPS interception etc.; you're just tunneling all requests directly to the machine which has the certificate on it. Antony. -- How many Prolog programmers does it take to change a lightbulb? No. Please reply to the list; please *don't* CC me. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] RemoteIPProxyProtocolExceptions with negated IP list
Hi, I have a vhost in a https-only IPv6-only setup and would like to make the web site hosted there reachable from the IPv4 Internet. On a dual-homed host, I have sniproxy that forwards requests coming in via IPv4 over IPv6 depending on the SNI header. The web server is directly reachable from the IPv6 Internet without proxy. sniproxy can utilize the haproxy proxy protocol to forward the IPv4 address of the requesting client to the weberver. With the RemoteIPProxyProtocol directive of mod_remoteip, apache can make sense from that. So far so good. With this option set, apache expects the proxy protocol on all connections for the listener in question, making it unsuitable for direct client connections. There is RemoteIPProxyProtocolExceptions, which specifies IP addresse from where the proxy protocol is not required. In the situation in question, I'd need "require proxy protocol fom the IP address of the proxy ONLY". If I set like 2000::/3 as Exceptions, the entire Internet could send me a wrong IP address. This logic completely backwards than the other mechanism for X-Forwarded-For headers using RemoteIPInternalProxy, where I need to put in a list of IP addresses that are allowed to send a clien IP address. Confusing. Is it possible to have a negated IP address list in RemoteIPProxyProtocolExceptions? I think that I cannot use SetEnvIf at this point because the ProxyProtocol processing happens way before any http processing begins. I would like to avoid defining a dedicated listener for the sniproxy mechanism. Any ideas? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org