httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject r->connection->remote_ip and mod_remoteip
Date Fri, 05 Feb 2010 22:35:41 GMT
Hi all,

Recently I have to deal with a number of modules that try to override  
the r->connection->remote_ip value in order to use the IP address  
originating from a load balancer, which obscures the real IP address  
of the client.

All of these modules, including mod_remoteip in trunk, take a piece of  
information from a request (a header value typically), and then copies  
the value upstream to the parent connection, blowing away the real  
value of the IP address.

This blown away IP address now becomes the IP address for all further  
requests on the same connection, which, if they are coming from a load  
balancer, are very unlikely to come from the same original client.

A request should not be making permanent changes to its parent  
connection, even a temporary change with a cleanup to restore the  
original value is an ugly hack.

ideally there should be a value r->remote_ip, populated initially from  
connection->remote_ip, which a request can change at will, and that  
will go away when the request is finished. Modules that want to do  
access control, etc should rather look in r->remote_ip instead of r- 

The change is simple enough, but changes a number of modules, so I  
would like to make sure people agree with the approach before I go  

Any comments?


View raw message