Permalink
Browse files

Refactor IP subnet comparison using apr funcs

* comparison of connecting IP against trusted RPAF_ProxyIPs done with
  apr_ipsubnet_test() rather than previous approach that relied on
  ipv4-limited check_cidr() and strcmp()

* rpaf_looks_like_ip() checks that RPAF_Header request values and
  RPAF_ProxyIPs config values contain valid ipv4/6 addresses

* new RPAF_ForbidIfNotProxy option to forbid requests not connecting
  from RPAF_ProxyIps; otherwise difficult to use Allow/Deny access
  control on proxies after remote address substitution has taken place

* ifdef brackets around code dealing with server_rec->server_scheme
  because that struct member is only in versions >= 2.2.3

* set "remoteip-proxy-ip-list" value in r->notes table to list of
  proxies so other modules can know about trusted intermediaries and
  IP substitution; similar to Apache2.4 mod_remoteip
  • Loading branch information...
1 parent ccbf386 commit 8419240d8336f9030a57bba2ca5e98c29442004d @prxgen prxgen committed Mar 28, 2014
Showing with 161 additions and 95 deletions.
  1. +29 −19 README.md
  2. +132 −76 mod_rpaf.c
View
@@ -3,6 +3,7 @@
### Summary
Sets `REMOTE_ADDR`, `HTTPS`, and `HTTP_PORT` to the values provided by an upstream proxy.
+Sets `remoteip-proxy-ip-list` field in r->notes table to list of proxy intermediaries.
### Compile Debian/Ubuntu Package and Install
@@ -23,37 +24,46 @@ Sets `REMOTE_ADDR`, `HTTPS`, and `HTTP_PORT` to the values provided by an upstre
### Configuration Directives
- RPAF_Enable (On|Off) - Enable reverse proxy add forward
+ RPAF_Enable (On|Off) - Enable reverse proxy add forward
- RPAF_ProxyIPs 127.0.0.1 10.0.0.1 - What IPs to adjust requests for
+ RPAF_ProxyIPs 127.0.0.1 10.0.0.0/24 - What IPs & bitmaksed subnets to adjust
+ requests for
- RPAF_Header X-Forwarded-For - The header to use for the real IP
- address.
+ RPAF_Header X-Forwarded-For - The header to use for the real IP
+ address.
- RPAF_SetHostName (On|Off) - Update vhost name so ServerName &
- ServerAlias work
+ RPAF_SetHostName (On|Off) - Update vhost name so ServerName &
+ ServerAlias work
- RPAF_SetHTTPS (On|Off) - Set the HTTPS environment variable
- to the header value contained in
- X-HTTPS, or X-Forwarded-HTTPS.
+ RPAF_SetHTTPS (On|Off) - Set the HTTPS environment variable
+ to the header value contained in
+ X-HTTPS, or X-Forwarded-HTTPS.
- RPAF_SetPort (On|Off) - Set the server port to the header
- value contained in X-Port, or
- X-Forwarded-Port.
+ RPAF_SetPort (On|Off) - Set the server port to the header
+ value contained in X-Port, or
+ X-Forwarded-Port.
+
+ RPAF_ForbidIfNotProxy (On|Off) - Option to forbid request if not from
+ trusted RPAF_ProxyIPs; otherwise
+ cannot be done with Allow/Deny after
+ remote addr substitution
+
## Example Configuration
- LoadModule rpaf_module modules/mod_rpaf.so
- RPAF_Enable On
- RPAF_ProxyIPs 127.0.0.1 10.0.0.10 10.0.0.20
- RPAF_SetHostName On
- RPAF_SetHTTPS On
- RPAF_SetPort On
-
+ LoadModule rpaf_module modules/mod_rpaf.so
+ RPAF_Enable On
+ RPAF_ProxyIPs 127.0.0.1 10.0.0.0/24
+ RPAF_SetHostName On
+ RPAF_SetHTTPS On
+ RPAF_SetPort On
+ RPAF_ForbidIfNotProxy Off
+
## Authors
* Thomas Eibner <thomas@stderr.net>
* Geoffrey McRae <gnif@xbmc.org>
+* Proxigence Inc. <support@proxigence.com>
## License and distribution
Oops, something went wrong.

0 comments on commit 8419240

Please sign in to comment.