Commit 708c0a08 authored by Yann Ylavic's avatar Yann Ylavic
Browse files

Revert r1824221: wrong backport. 

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1824246 13f79535-47bb-0310-9956-ffa450edef68
parent 7e58de5b

CHANGES

+0 −5
Original line number Diff line number Diff line 
                                                         -*- coding: utf-8 -*-

Changes with Apache 2.4.30



  *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).

     Add ability for PROXY protocol processing to be optional to donated code.

     See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

     [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]



  *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,

     allowing per backend TLS configuration.  [Yann Ylavic]

STATUS

+29 −0
Original line number Diff line number Diff line
@@ -118,6 +118,35 @@ RELEASE SHOWSTOPPERS: 
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

  [ start all new proposals below, under PATCHES PROPOSED. ]



  *) mod_remoteip: Add PROXY protocol support

     trunk patch: http://svn.apache.org/r1776575

                  http://svn.apache.org/r1776578 (doc fix)

                  http://svn.apache.org/r1776624

                  http://svn.apache.org/r1776627 (shortened name + doc fix)

                  http://svn.apache.org/r1776674 (attribution moved to CHANGES)

                  http://svn.apache.org/r1776734

                  http://svn.apache.org/r1776740 (attribution updated in mod_remotip.c)

                  http://svn.apache.org/r1778268 (fix compiler warning)

                  http://svn.apache.org/r1780725 (set buckets aside)

                  http://svn.apache.org/r1781030 (fix strict GCC warning)

                  http://svn.apache.org/r1781031 (reference the filter by handle)

                  http://svn.apache.org/r1781701 (rework optional processing case)

                  http://svn.apache.org/r1788674 (final edge cases/ignore slave conns)

                  http://svn.apache.org/r1789800 (remove optional processing)

                  http://svn.apache.org/r1790169 (rename "exception" directive)

                  http://svn.apache.org/r1790457 (Update directive name in err message)

                  http://svn.apache.org/r1790691

                  http://svn.apache.org/r1806985

                  http://svn.apache.org/r1818279

     2.4 convenience patch (includes CHANGES):

                  http://home.apache.org/~ylavic/patches/RemoteIPProxyProtocol.2.4-v3.patch

     +1: druggeri, jim, minfrin

     ylavic: RemoteIPProxyProtocol* are documented as scoped to server config

             and virtual host, though using ap_server_conf makes them global

             only (thus less useful too...).

        jim: Can docco patch be post-backport?

     minfrin: The docs seem correct, and there is a long explanation in the docs of

              why the scoping is as it is.





PATCHES PROPOSED TO BACKPORT FROM TRUNK:

docs/manual/mod/mod_remoteip.xml

+0 −71
Original line number Diff line number Diff line
@@ -42,12 +42,6 @@ via the request headers. 
    with the useragent IP address reported in the request header configured

    with the <directive module="mod_remoteip">RemoteIPHeader</directive> directive.</p>



    <p>Additionally, this module implements the server side of

    HAProxy's

    <a href="http://blog.haproxy.com/haproxy/proxy-protocol/">Proxy Protocol</a> when

    using the <directive module="mod_remoteip">RemoteIPProxyProtocolEnable</directive>

    directive.</p>



    <p>Once replaced as instructed, this overridden useragent IP address is

    then used for the <module>mod_authz_host</module>

    <directive module="mod_authz_core" name="require">Require ip</directive>
@@ -65,7 +59,6 @@ via the request headers. 
<seealso><module>mod_authz_host</module></seealso>

<seealso><module>mod_status</module></seealso>

<seealso><module>mod_log_config</module></seealso>

<seealso><a href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt">Proxy Protocol Spec</a></seealso>



<section id="processing"><title>Remote IP Processing</title>
@@ -218,70 +211,6 @@ RemoteIPProxiesHeader X-Forwarded-By 
</usage>

</directivesynopsis>



<directivesynopsis>

<name>RemoteIPProxyProtocol</name>

<description>Enable, optionally enable or disable the proxy protocol handling</description>

<syntax>ProxyProtocol On|Optional|Off</syntax>

<contextlist><context>server config</context><context>virtual host</context>

</contextlist>



<usage>

    <p>The <directive>RemoteIPProxyProtocolEnable</directive> enables or 

    disables the reading and handling of the proxy protocol connection header.

    If enabled with the <code>On</code> flag, the upstream client <em>must</em>

    send the header every time it opens a connection or the connection will

    be aborted. If enabled with the <code>Optional</code> flag, the upstream

    client <em>may</em> send the header.</p>



    <p>While this directive may be specified in any virtual host, it is

    important to understand that because the proxy protocol is connection

    based and protocol agnostic, the enabling and disabling is actually based

    on ip-address and port. This means that if you have multiple name-based

    virtual hosts for the same host and port, and you enable it any one of

    them, then it is enabled for all them (with that host and port). It also

    means that if you attempt to enable the proxy protocol in one and disable

    in the other, that won't work; in such a case the last one wins and a

    notice will be logged indicating which setting was being overridden.</p>



    <note type="hint">When multiple virtual hosts on the same IP and port are

    configured with a combination of <code>On</code> and <code>Optional</code>

    flags, connections will not be aborted if the header is not sent.

    Instead, enforcement will happen after the request is read so virtual

    hosts configured with <code>On</code> will return a 400 Bad Request.

    Virtual hosts configured with <code>Optional</code> will continue as

    usual but without replacing the client IP information</note>

    

    <highlight language="config">

Listen 80

&lt;VirtualHost *:80&gt;

    ServerName www.example.com

    RemoteIPProxyProtocolEnable Optional



    #Requests to this virtual host may optionally not have

    # a proxy protocol header provided

&lt;/VirtualHost&gt;



&lt;VirtualHost *:80&gt;

    ServerName www.example.com

    RemoteIPProxyProtocolEnable On



    #Requests to this virtual host must have a proxy protocol

    # header provided. If it is missing, a 400 will result

&lt;/VirtualHost&gt;



Listen 8080

&lt;VirtualHost *:8080&gt;

    ServerName www.example.com

    RemoteIPProxyProtocolEnable On



    #Requests to this virtual host must have a proxy protocol

    # header provided. If it is missing, the connection will

    # be aborted

&lt;/VirtualHost&gt;

    </highlight>

</usage>

</directivesynopsis>



<directivesynopsis>

<name>RemoteIPTrustedProxy</name>

<description>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</description>

modules/metadata/mod_remoteip.c

+2 −770

File changed.

Preview size limit exceeded, changes collapsed.