cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wido den Hollander <w...@widodh.nl>
Subject Re: Client source IP visibility
Date Tue, 17 Jul 2012 14:33:58 GMT
Hi,

On 17-07-12 16:23, Fabrice Brazier wrote:
> Hi Edison,
>
> I think it would be doable with X-Forwarded-For as workaround in some
> cases.
>
> For Apache:
> -----------------------------------------------------
> <Location "/only_proxy/">
>          SetEnvIf X-Forwarded-For ^10\.1\.1\. proxy_env
>          Order allow,deny
>          Satisfy Any
>          Allow from env=proxy_env
> </Location>
> -----------------------------------------------------
>
> I also found this in the CloudStack Docs:
> http://wiki.cloudstack.org/display/COMM/Log+the+IP+of+the+client+in+Apache
> +using+the+CloudStack+LoadBalancer
>
> For nginx there is a HttpRealipModule for stuff like that.
>
> But for our customers this would mean they have to adapt their
> applications and they would need to test and accept this solution in the
> POC.
> We would definitively like to see a solution which wouldn’t require on the
> application side.

Try mod_rpaf for Apache, that should do the trick.

Wido

>
> Regards,
> Fabrice
>
> --
> Fabrice Brazier
> Apalia™
> FR: +33-632-73-53-00
> http://www.apalia.net
> fabrice.brazier@apalia.net
>
>
> -----Message d'origine-----
> De : Edison Su [mailto:Edison.su@citrix.com]
> Envoyé : lundi 16 juillet 2012 19:54
> À : cloudstack; cloudstack-users@incubator.apache.org
> Objet : RE: Client source IP visibility
>
>
>
>> -----Original Message-----
>> From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
>> Sent: Monday, July 16, 2012 1:56 AM
>> To: cloudstack-users@incubator.apache.org
>> Cc: cloudstack
>> Subject: Client source IP visibility
>>
>> Hi Folks,
>>
>>
>>
>> we need a way of configuring CloudStack load balancing with the
>> integrated ha-proxy load balancer without hiding the client (source)
>> IP.
>>
>> We see TPPROXY feature as a way of doing this, see
>> http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-
>> full-transparent-proxy/
>> .
>>
>>
>>
>> Does this functionality is already implemented ? Will be in the future?
>>
>
> It needs special kernel, not sure it works in debian squeeze kernel or
> not.
>
>>
>>
>> A possible workaround would be to use the "X-Forwarded-For" header for
>> filtering IP addresses.
>
> "option forwardfor" is already in haproxy configuration file, by default.
> Doesn't it work for you? If not, please fire a bug.
>
>>
>>
>>
>> Thanks,
>>
>> Fabrice
>>
>>
>>
>> --
>> Fabrice Brazier
>> *Apalia*(tm)*
>> *FR: +33-632-73-53-00
>> *http://www.apalia.net
>> fabrice.brazier@apalia.net*


Mime
View raw message