`mod_qos(069): no valid IP header found` when using QS_ClientIpFromHeader

Quality of service module for Apache httpd

Brought to you by: pbuchbinder

`mod_qos(069): no valid IP header found` when using QS_ClientIpFromHeader

Forum: Open Discussion

Creator: William Edwards

Created: 2024-04-05

Updated: 2024-04-19

William Edwards - 2024-04-05

Hi,

When using the QS_ClientIpFromHeader directive, mod_qos returns:

mod_qos(069): no valid IP header found (@hp): header 'X-Forwarded-For' not available, fallback to connection's IP 10.40.23.9

Why? I can confirm that X-Forwarded-For is present. In fact, mod_remoteip uses it successfully (and I would expect mod_qos to honour it, but that's a different matter).

The full config can be found below, although I can reproduce the issue when using the directive standalone.

<IfModule mod_qos.c> QS_LogOnly On QS_ErrorResponseCode 429 QS_ClientEntries 10000 QS_ClientEventRequestLimit 20 QS_ClientEventPerSecLimit 20 QS_ClientEventBlockCount 50 10 #QS_SrvMaxConnPerIP 12 QS_ClientIpFromHeader X-Forwarded-For </IfModule>

I'm on version 11.63. I am aware that is not the latest, but it is the version currently shipped for Debian stable, and the changelog (https://mod-qos.sourceforge.net/CHANGES.txt) doesn't mention any related fixes/changes.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Pascal Buchbinder - 2024-04-07

I can confirm that X-Forwarded-For is present. In fact, mod_remoteip uses it successfully

I assume mod_remoteip is causing the problem.
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

this header is removed from the request altogether

mod_remoteip.c:

else { apr_table_unset(r->headers_in, config->header_name); }
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

William Edwards - 2024-04-07

Hi @pbuchbinder,

I missed that nuance in the documentation. Sorry about that, and thanks for finding it.

If mod_remoteip removes X-Forwarded-For, there are no headers containing the IP address (I could let the proxy add a header, but I'd rather not). And without QS_ClientIpFromHeader, mod_qos (rightly) believes the connection comes from the proxy.

Are you familiar with successful mod_qos + mod_remoteip approaches? mod_remoteip is not a very exotic module. I found https://sourceforge.net/p/mod-qos/discussion/697421/thread/96040e61/, but that's a dead end.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Pascal Buchbinder - 2024-04-07
  
  I agree: mod_remoteip got fully integrated into Apache as of version 2.4.19... it's time for mod_qos to adapt and also support Apache's "useragent_ip" feature.
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Pascal Buchbinder - 2024-04-19
  
  mod_qos version 11.75 is now available.
  
  It uses the IP address determined by mod_remoteip by configuring
  
  QS_ClientIpFromHeader #USERAGENT_IP
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.