Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support reading but ignoring PROXY protocol from a subset of clients #2

Closed
Castaglia opened this issue Dec 15, 2013 · 2 comments
Closed

Support reading but ignoring PROXY protocol from a subset of clients #2

Castaglia opened this issue Dec 15, 2013 · 2 comments
Assignees
@Castaglia
Labels
enhancement

Comments

@Castaglia
Copy link
Owner

It would be nice to be able to configure something like the following for mod_proxy_protocol:

<Limit PROXY>
  # Configure list of trusted senders
</Limit>

I.e. to be able to configure the list of trusted clients, the ones we trust to send PROXY properly. If the connected peer is not in the configured list, but DOES send the PROXY protocol, then mod_proxy_protocol would read that data, but not actually switch the internal data structures to use the reported addresses.
@ghost ghost assigned Castaglia Dec 15, 2013
bkmit added a commit to maytech/proftpd-mod_proxy_protocol that referenced this issue Jun 9, 2021
@bkmit
Merge pull request Castaglia#2 in MISC/proftpd-mod_proxy_protocol fro…
7244e0f 
…m hotfix/SA-657-dedicated-ip-address-on-quatrix-usa-for-gcm-customer to master

* commit 'cc0337cdb6173cadb858f77c204deec934d16988':
  [SA-657] Redefine server record if we have one
@Castaglia
Copy link
Owner Author

Another way of implementing this, rather than via <Limit>, might be use a <Class>, and mod_ifsession. Which should Just Work(tm) -- except that we'd still want mod_proxy_protocol to read the PROXY protocol bytes, but ignore them. That, I think, is more doable, and easier.

Castaglia added a commit that referenced this issue Jun 12, 2021
@Castaglia
Issue #2: Implement a ProxyProtocolIgnore directive, which can be u…
4efe723 
…sed in conjunction with `mod_ifsession` for reading -- then ignoring -- the PROXY protocol from some clients.
Castaglia added a commit that referenced this issue Jun 12, 2021
@Castaglia
Merge pull request #21 from Castaglia/ifsess-class-disable-issue2
8e26c5f 
Issue #2: Implement a `ProxyProtocolIgnore` directive, which can be u…
@Castaglia Castaglia changed the title Support <Limit PROXY> Support reading but ignoring PROXY protocol from a subset of clients Jun 12, 2021
@Castaglia
Copy link
Owner Author

The requested functionality has been implemented, but using an ProxyProtocolIgnore directive rather than <Limit>:

  <Class untrusted-senders>
    From 1.2.3.4
    From 5.6.7.8
  </Class>

  <IfModule mod_proxy_protocol.c>
    # We always to read PROXY protocol headers from clients...
    ProxyProtocolEngine on

    # ...but we don't always trust the senders
    <IfClass untrusted-senders>
      ProxyProtocolIgnore on
    </IfClass>
  </IfModule>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Castaglia Castaglia

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Castaglia