| ============== |
| mod_extforward |
| ============== |
| |
| .. contents:: |
| |
| Overview |
| ======== |
| |
| Comman Kang <comman.kang at gmail.com> sent me: :: |
| |
| Hello jan. |
| |
| I've made something rough but similar to mod_extract_forwarded for |
| Apache. This module will extract the client's "real" ip from |
| X-Forwarded-For header which is added by squid or other proxies. It might be |
| useful for servers behind reverse proxy servers. |
| |
| However, this module is causing segfault with mod_ssl or |
| $HTTP{''socket"} directive, crashing in config_check_cond while patching |
| connection , I do not understand architecture of the lighttpd well, does it |
| need to call patch_connection in either handle_request_done and |
| connection_reset ? |
| |
| Lionel Elie Mamane <lionel@mamane.lu> improved the patch: :: |
| |
| I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've |
| extended it. Here is the result. |
| |
| Major changes: |
| |
| - IPv6 support |
| |
| - Fixed at least one segfault with SERVER['socket'] |
| |
| - Arrange things so that a url.access-deny under scope of a |
| HTTP['remoteip'] condition works well :) |
| |
| I've commented the code in some places, mostly where I wasn't sure |
| what was going on, or I didn't see what the original author meant to |
| do. |
| |
| Options |
| ======= |
| |
| extforward.forwarder |
| Sets trust level of proxy IP's. |
| |
| Default: empty |
| |
| Example: :: |
| |
| extforward.forwarder = ("10.0.0.232" => "trust") |
| |
| will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from X-Forwarded-For: HTTP request header. |
| |
| Note |
| ======= |
| |
| The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions. |
| Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. |
| Things done in between these two moments will match on the real client's IP. |
| The moment things are done by a module depends on in which hook it does things and within the same hook |
| on whether they are before/after us in the module loading order |
| (order in the server.modules directive in the config file). |
| |
| Tested behaviours: |
| |
| mod_access: Will match on the real client. |
| |
| mod_accesslog: |
| In order to see the "real" ip address in access log , |
| you'll have to load mod_extforward after mod_accesslog. |
| like this: :: |
| |
| server.modules = ( |
| ..... |
| mod_accesslog, |
| mod_extforward |
| ) |
| |
| Samples |
| ======= |
| |
| Trust proxy 10.0.0.232 and 10.0.0.232 :: |
| |
| extforward.forwarder = ( |
| "10.0.0.232" => "trust", |
| "10.0.0.233" => "trust", |
| ) |
| |
| Trust all proxies (NOT RECOMMENDED!) :: |
| |
| extforward.forwarder = ( "all" => "trust") |
| |
| Note that "all" has precedence over specific entries, so "all except" setups will not work. |