httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: feature proposal
Date Tue, 15 Mar 2005 03:20:39 GMT

On Tue, 15 Mar 2005 13:25:52 +1100 (EST), "Jie Gao"
<J.Gao@isu.usyd.edu.au> said:
> Hi All,
> 
> Apache is already passing client IP addr to the backend server via a
> mechanism of headers:
> 
> X-Forwarded-For
> X-Forwarded-Host
> X-Forwarded-Server
> 
> The difficulty is that very often the backend server is an Apache
> server from a vendor, and any changes to the server will void support.
> There are also circumstances in which you simply can't re-recompile
> it.
> 
> It would be very helpful if Apache has configuration directives in the
> core to get those headers (with conditions) in the server configuration
> so that acl and logging based on the "real" IP addresses can work.

You can do this already, with a tiny bit of work.

For the logs, replace %h with %{X-Forwarded-For}i in your LogFormat.

For access restrictions
SetEnvIf X-Forwarded-For ^123\.456\.789\.123$ badguy
Order allow,deny
Allow from all
Deny from env=badguy

Not quite as simple and flexible (you can't do reverse lookups on IPs,
for example), but it seems to me that making it easy to simply replace
REMOTE_HOST with X-Forwarded-For could lead to security problems.  There
is probably a module that will do it for you, however.

Joshua.
-- 
Joshua Slive
joshua@slive.ca


Mime
View raw message