Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modification to allow an loadbalancer between browser and server #12

Closed
GoogleCodeExporter opened this issue May 7, 2015 · 4 comments
Closed

Modification to allow an loadbalancer between browser and server #12

GoogleCodeExporter opened this issue May 7, 2015 · 4 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

Currently if a loadbalancer is present the servers IP is sent and processed, 
which of course makes no sense whatsever. In the loadbalancer sends the 
X_FORWARDED_FOR header the authnz_external cannot handle it though. I wrote a 
small patch which sends the X_FORWADED_FOR header to the client in the PROXY 
environment variable


Here's the diff:


diff mod_authnz_external-3.2.6-new/mod_authnz_external.c 
mod_authnz_external-3.2.6/mod_authnz_external.c
100d99
< #define ENV_PROXY "PROXY"
438c437
<     char *child_env[13];

---
>     char *child_env[12];
461c460
<   const char *cookie, *host, *remote_host, *proxy;

---
>   const char *cookie, *host, *remote_host;
498,499d496
< if ((proxy= apr_table_get(r->headers_in, "X-Forwarded-For")) != NULL)
<       child_env[i++]= apr_pstrcat(p, ENV_PROXY"=", proxy, NULL);

Original issue reported on code.google.com by rogier.s...@gmail.com on 19 Aug 2013 at 1:41
@GoogleCodeExporter
Copy link
Author 

This is a sound idea. I've added a version of it to the version in svn, and it 
will be included in the next release.

The one change I made is to the name. The "X-Forwarded-For" header gives a 
comma-separated list of the servers the request was forwarded to.  The first 
one will be the original client, the rest will be proxies it passed through 
before reaching the proxy whose IP is given in the IP environment variable. 
Most commonly it will be used to get the first IP address, which is the 
original client IP, not a proxy. So calling the variable PROXY seems confusing. 
I called it FORWARDS instead, plural as a reminder that this is, in general, 
going to be a list of IPs, not just a single IP.

Anyway, thanks for the contribution.

Original comment by j...@unixpapa.com on 11 Dec 2013 at 7:14

@GoogleCodeExporter
Copy link
Author 

Issue 13 has been merged into this issue.

Original comment by j...@unixpapa.com on 11 Dec 2013 at 7:16

@GoogleCodeExporter
Copy link
Author

Original comment by j...@unixpapa.com on 11 Dec 2013 at 7:25

  • Changed state: Fixed

@GoogleCodeExporter
Copy link
Author 

Actually, on second thought, I think that making the IP environment variable 
always return the client IP is better.  No authenticator will ever really want 
to know the whole chain of forwards.

So this change is out again.

Original comment by j...@unixpapa.com on 11 Dec 2013 at 7:42

@GoogleCodeExporter GoogleCodeExporter mentioned this issue May 7, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter