Le 11/06/2014 à 20:47, Walzer, Jeffrey R a écrit :
Does the Apache reverse proxy server forward traffic, or initiate a new
connection on behalf of the external client? We have enabled the reverse
proxy via mod_security proxypass, but I’d like to know if traffic is
forwarded or a protocol break occurs and the DMZ host initiates a new
connection to the internal app server with a different payload.
*Hello* Jeffrey,
The answer to your question is simple: Apache, used as a reverse proxy,
either with or without mod_security, does *not* preserve connectivity at
transport level. It's clearly not a router. So there is clearly a
protocol break at this level and there are 2 distinct TCP sessions, one
of which taking place between the client (and initiated by it) and your
reverse proxy, and the other one between your reverse proxy (and
initiated by it) and the real server.
Apache does everything at application level, and this quite logical as,
not only does it proxy connections, but it usually also has to filter or
modify application level info, such as headers and so on (see below for
one example of HTTP header addition).
One of the (potentially nasty) consequences, which is perhaps the reason
behind your question, is that if your real server is configured with the
standard "LogFormat" lines, it will *not* log the real ip, which can
make things difficult to debug or investigate.
One solution (but there are others) is then to modify the LogFormat line
on the real server to use the "X-Forwarded-For" HTTP header added by
your RP, and which contains the client's original IP. This is done quite
simply by substituting the "%h" token by "%{X-Forwarded-For}i" (or by
adding it if you have several RPs and want to know which one has been
used to forward the request). If you choose to keep both, you might have
to consequently adapt your log analysis and stats software, though.
Best regards,
Bruno
--
- Service Hydrographique et Oceanographique de la Marine - DMGS/INF
- 13, rue du Chatellier - CS 92803 - 29228 Brest Cedex 2, FRANCE
- Phone: +33 2 98 22 17 49 - Email: bruno.tregu...@shom.fr
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
