Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4DFBC11E53 for ; Fri, 22 Aug 2014 17:47:12 +0000 (UTC) Received: (qmail 95124 invoked by uid 500); 22 Aug 2014 17:47:07 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 95086 invoked by uid 500); 22 Aug 2014 17:47:07 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 95076 invoked by uid 99); 22 Aug 2014 17:47:06 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Aug 2014 17:47:06 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of zhangzzh@gmail.com designates 74.125.82.44 as permitted sender) Received: from [74.125.82.44] (HELO mail-wg0-f44.google.com) (74.125.82.44) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Aug 2014 17:46:41 +0000 Received: by mail-wg0-f44.google.com with SMTP id m15so10688366wgh.15 for ; Fri, 22 Aug 2014 10:46:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Pfn/vEbyaOy5owemq1bRLVuyArCdbgDssYeUhStG1vc=; b=fMLbcHBiAx/P3zVPhK1xoTjTGlQtJex+xUF9tP6ueQPrd2eKKedQSrtE+O4okR8dc3 y3xfUWV6JoRs2UE5b7fbLOFy/7SKcnXFvhg8JnVYD+axZXQfJIjJwCxMGcLtgRgylngN eUczrFAIH5O6xVuZ7pWN85yrejpOtF+D9tsBMpzrGeKu8uMcjM66lLiVFLKPhP1yZdlF vwkuTrRqcg6axHZwU9lM6k09d93RYcHR5yGCyQss6pKppqWdwe20gmy/fqxnHGJnaiRK 9KKQimu3/HtyI5418I7nI00LL4BN4Bv7UEuAC2bIm+5R+QeWl2x47iA0T0QRtx+fqqKD SY1A== MIME-Version: 1.0 X-Received: by 10.195.12.4 with SMTP id em4mr6671091wjd.98.1408729599557; Fri, 22 Aug 2014 10:46:39 -0700 (PDT) Received: by 10.216.95.82 with HTTP; Fri, 22 Aug 2014 10:46:39 -0700 (PDT) Date: Fri, 22 Aug 2014 10:46:39 -0700 Message-ID: From: Zhang Zhang To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=047d7bfd029e5dc86205013b6b93 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Support for Proxy Protocol --047d7bfd029e5dc86205013b6b93 Content-Type: text/plain; charset=UTF-8 Hi, I have a problem that I don't know how to resolve. It is very appreciated if anyone could share some thought on how to resolve it. Scenario: I have an ELB setup in AMS cloud, there are two apache servers (2.4.4) behind the ELB, act as gateway, the apache servers is listing to port 443 which is a HTTPS port, ELB is setup with TCP/SSL, when a request comes in to ELB, ELB will forward it to apache servers, and apache servers will forward it to down stream servers with proxypass directive. Issue: There is an issue in this setup, the ELB is stopping the down stream server to get source IP address of the request, what apache server can see is the message is coming from ip addresses of ELB instances, not the actual sender's ip address. I can not change the ELB to use HTTP/HTTPS and take advantage of the "X-Forward-" headers, because the special mutual authentication I need for the apache instances. The ELB of AWS support a TCP protocol called "Proxy Protocol v1" which is able to forward the source ip address to apache. Proxy Protocol: Proxy Protocol is a protocol for TCP/SSL load balancer to carry source IP address information and forward to down stream servers, the message with a HTTP GET request would looks like: PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n GET / HTTP/1.1\r\n Host: 192.168.0.11\r\n \r\n Basically this protocol add a new line after the TCP headers and before the body. For HTTPS it is more complex, I imagine the message for HTTPS would looks like: PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n Here is the link to the protocol: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt Question: Obviously this new line before the request body will cause SSL and other module fail, how we going to support this "Proxy Protocol" ? Thanks JJ --047d7bfd029e5dc86205013b6b93 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,=C2=A0

I have a problem that I don&#= 39;t know how to resolve. It is very appreciated if anyone could share some= thought on how to resolve it.

Scenario:
I have an ELB setup in AMS cloud, there are two apache servers (2.4.4) beh= ind the ELB, act as gateway, the apache servers is listing to port 443 whic= h is a HTTPS port, ELB is setup with TCP/SSL, when a request comes in to EL= B, ELB will forward it to apache servers, and apache servers will forward i= t to down stream servers with proxypass directive.=C2=A0

Issue:
There is an issue in this setup, the E= LB is stopping the down stream server to get source IP address of the reque= st, what apache server can see is the message is coming from ip addresses o= f ELB instances, not the actual sender's ip address. I can not change t= he ELB to use HTTP/HTTPS and take advantage of the "X-Forward-" h= eaders, because the special mutual authentication I need for the apache ins= tances. The ELB of AWS support a TCP protocol called "Proxy Protocol v= 1" which is able to forward the source ip address to apache.

Proxy Protocol:
Proxy Protocol is a protocol = for TCP/SSL load balancer to carry source IP address information and forwar= d to down stream servers, the message with a HTTP GET request would looks l= ike:
    PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n
    GET / HTTP/1.1\r\n
    Host: 192.168.0.11\r\n
    \r\n
Basically this protocol add a new line after the T= CP headers and before the body.
For HTTPS it is more complex, I i= magine the message for HTTPS would looks like:
--047d7bfd029e5dc86205013b6b93--