Hi, I have a vhost in a https-only IPv6-only setup and would like to make the web site hosted there reachable from the IPv4 Internet. On a dual-homed host, I have sniproxy that forwards requests coming in via IPv4 over IPv6 depending on the SNI header. The web server is directly reachable from the IPv6 Internet without proxy.
sniproxy can utilize the haproxy proxy protocol to forward the IPv4 address of the requesting client to the weberver. With the RemoteIPProxyProtocol directive of mod_remoteip, apache can make sense from that. So far so good. With this option set, apache expects the proxy protocol on all connections for the listener in question, making it unsuitable for direct client connections. There is RemoteIPProxyProtocolExceptions, which specifies IP addresse from where the proxy protocol is not required. In the situation in question, I'd need "require proxy protocol fom the IP address of the proxy ONLY". If I set like 2000::/3 as Exceptions, the entire Internet could send me a wrong IP address. This logic completely backwards than the other mechanism for X-Forwarded-For headers using RemoteIPInternalProxy, where I need to put in a list of IP addresses that are allowed to send a clien IP address. Confusing. Is it possible to have a negated IP address list in RemoteIPProxyProtocolExceptions? I think that I cannot use SetEnvIf at this point because the ProxyProtocol processing happens way before any http processing begins. I would like to avoid defining a dedicated listener for the sniproxy mechanism. Any ideas? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
