openinteract-help

[Openinteract-help] OpenInteract::ProxyRemoteAddr

[Ken Youens-C. <ky...@gm...>]

I'm trying out a ProxyPass set up in mod_perl to say something like 
"/foo" proxies to "localhost:8080."  I'm using the "http_modperl.conf" 
file for my proxied VirtualHost, and it has the line:

	PerlPostReadRequestHandler OpenInteract::ProxyRemoteAddr

But Perl can't find that module installed, CPAN doesn't seem to know 
about it, and I can't find it here:

	http://search.cpan.org/~cwinters/OpenInteract-1.99_06/

ky

Re: [Openinteract-help] OpenInteract::ProxyRemoteAddr

[Chris W. <ch...@cw...>]

* Ken Youens-Clark (ky...@gm...) [050419 10:42]:
> I'm trying out a ProxyPass set up in mod_perl to say something like 
> "/foo" proxies to "localhost:8080."  I'm using the "http_modperl.conf" 
> file for my proxied VirtualHost, and it has the line:
> 
> 	PerlPostReadRequestHandler OpenInteract::ProxyRemoteAddr

That shouldn't be there anymore. IIRC modern mod_proxy implementations
make it unnecessary, but I'm a little fuzzy on that. (I'll remove it
from CVS, thanks for the catch -- again.)

Teemu recently committed a change to OI2::Request to add a property of
'forwarded_for' so adapters can store the actual IP address rather
than just pass the proxy address back. I'm not sure if any adapter
changes were made though.

Chris

-- 
Chris Winters (http://www.cwinters.com)
Building enterprise-capable snack solutions since 1988

Re: [Openinteract-help] OpenInteract::ProxyRemoteAddr

[Teemu A. <te...@io...>]

> Teemu recently committed a change to OI2::Request to add a property of
> 'forwarded_for' so adapters can store the actual IP address rather
> than just pass the proxy address back. I'm not sure if any adapter
> changes were made though.

Yes, now you can access the X-Forwarded-For which is set by most proxies
(like squid) when a request passes through:

CTX->request->forwarded_for

Which ususally contains something like this:

125.12.154.2, Unknown, 142.111.123.123, 212.222.21.4

where 125.* is set by your farest proxy and 127.* is set by your nearest proxy
(for example, one in localhost).

It's up to you to decide which one these to trust. I haven't implemented anything
additional adapter functionality or such to override what you have in
CTX->request->remote_host

I think a server.ini configuration parameter which sets the number of trusted steps
backwards in the forwarded_for chain would do it.

Something like:
trusted_proxies = 2

Would set 142.111.123.123 as the clients real IP address, as you know that both 142.* and 212.*
were provided by proxies you control and there is no way to access your server through any
other IP address. This is important: it's easy to forge the X-Forwarded-For to what ever you want
if you can access the server directly.

Regards,

Teemu Arina

Dicole
Komeetankuja 4 A
02210 Espoo
FINLAND
Tel: +358-(0)50 - 555 7636
skype: infe00
Corporate website: http://www.dicole.com
FLOSS in education blog: http://flosse.dicole.org
Personal weblog: http://infedelic.blogspot.com

"Discover, collaborate, learn."