httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: Effective IP address / real IP address
Date Mon, 21 Nov 2011 18:04:10 GMT
On Sunday 20 November 2011, Graham Leggett wrote:
> On 20 Nov 2011, at 1:37 AM, Jeff Trawick wrote:
> > On Sat, Nov 19, 2011 at 2:46 PM, Stefan Fritsch <>
> > 
> > wrote:
> >> On Saturday 19 November 2011, Graham Leggett wrote:
> >>>> The correction is simple; promote the remote_ip up to the
> >>>> request rec and log/use for authentication that r->remote_ip
> >>>> throughout httpd.  Introduce a wire client logging tag for
> >>>> c->remote_ip.
> >>> 
> >>> This is a lot simpler and cleaner I think, let me come up with
> >>> an alternative patch.
> >> 
> >> I also think this is preferable. The hook approach adds unneeded
> >> complexity and users of mod_remoteip would also need to change
> >> their log formats.
> > 
> > Yeah, only needing to add a special .conf for LB configurations
> > would be nice (i.e., not touching/reconfiguring anything else)
> This is the alternative I've come up with, again needing docs and
> in- principle. A logging option has been attached to log the raw
> IP address. Separately, I've attached a patch for mod_remoteip.
> Thoughts?

Looks reasonable. Some comments:

The error log handler log_remote_address for %a needs to fall back to 
c->remote_ip if r is not specified. Otherwise one would need different 
logformats for per-conn and per-request log messages. Also, I would 
prefer %{r}a and %{c}a to force logging of r->remote_ip and c-
>remote_ip. Then we don't need a new format letter and it would be 
more consistent with the %L and %{c}L errorlog format.

We may also want a CONN_REMOTE_ADDR or PHYS_REMOTE_ADDR variable in 
ap_expr to still allow access to c->remote_addr.

Do we need special handling of the REMOTE_HOST script variable? 
Probably it does not make sense because we can't reliably do DNS 
lookups for addresses received via X-Forwarded-For.

I think there may be some confusion of addresses if mod_remoteip is 
used for CONNECT requests. But I am OK with ignoring that 
complication. It should always be possible to use the connection log 
ids to correlate the different messages.

IMHO, commit to trunk and we can fix the remaining issues there.

View raw message