You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently if a loadbalancer is present the servers IP is sent and processed,
which of course makes no sense whatsever. In the loadbalancer sends the
X_FORWARDED_FOR header the authnz_external cannot handle it though. I wrote a
small patch which sends the X_FORWADED_FOR header to the client in the PROXY
environment variable
Here's the diff:
diff mod_authnz_external-3.2.6-new/mod_authnz_external.c
mod_authnz_external-3.2.6/mod_authnz_external.c
100d99
< #define ENV_PROXY "PROXY"
438c437
< char *child_env[13];
---
> char *child_env[12];
461c460
< const char *cookie, *host, *remote_host, *proxy;
---
> const char *cookie, *host, *remote_host;
498,499d496
< if ((proxy= apr_table_get(r->headers_in, "X-Forwarded-For")) != NULL)
< child_env[i++]= apr_pstrcat(p, ENV_PROXY"=", proxy, NULL);
Original issue reported on code.google.com by rogier.s...@gmail.com on 19 Aug 2013 at 1:41
The text was updated successfully, but these errors were encountered:
This is a sound idea. I've added a version of it to the version in svn, and it
will be included in the next release.
The one change I made is to the name. The "X-Forwarded-For" header gives a
comma-separated list of the servers the request was forwarded to. The first
one will be the original client, the rest will be proxies it passed through
before reaching the proxy whose IP is given in the IP environment variable.
Most commonly it will be used to get the first IP address, which is the
original client IP, not a proxy. So calling the variable PROXY seems confusing.
I called it FORWARDS instead, plural as a reminder that this is, in general,
going to be a list of IPs, not just a single IP.
Anyway, thanks for the contribution.
Original comment by j...@unixpapa.com on 11 Dec 2013 at 7:14
Actually, on second thought, I think that making the IP environment variable
always return the client IP is better. No authenticator will ever really want
to know the whole chain of forwards.
So this change is out again.
Original comment by j...@unixpapa.com on 11 Dec 2013 at 7:42
Original issue reported on code.google.com by
rogier.s...@gmail.com
on 19 Aug 2013 at 1:41The text was updated successfully, but these errors were encountered: