Commit d986c37f authored by Yann Ylavic's avatar Yann Ylavic
Browse files

Merge r1776575, r1776578, r1776624, r1776627, r1776674, r1776734, r1776740,... 

Merge r1776575, r1776578, r1776624, r1776627, r1776674, r1776734, r1776740, r1778268, r1780725, r1781030, r1781031, r1781701, r1788674, r1789800, r1790169, r1790457, r1790691, r1806985, r1812332, r1818279 from trunk:

Merge new PROXY protocol code into mod_remoteip

Fix typo in mod_remoteip's doc

Shorten RemoteIPProxyProtocolEnable to RemoteIPProxyProtocol and correct references in docs

Move attribution for mod_remoteip RemoteIPProxyProtocol from file to CHANGES

On the trunk:

* mod_remoteip: added cast to fix clang compiler error



Reinsert attribution to mod_remoteip.c for PROXY protocol

* Silence compiler warning

Set all read buckets aside in case we need to restore all during optional header processing

* modules/metadata/mod_remoteip.c: Fix GCC strict-aliasing warning
  by moving deference of header array via a different pointer type 
  ("type-punning") out of line.


* modules/metadata/mod_remoteip.c (register_hooks,
  remoteip_hook_pre_connection): Reference the filter by handle rather
  than name (avoiding tree lookup by name on use).


Change tactic for PROXY processing in Optional case

Finally include feedback from Ruediger Pluem. Add slave "backoff" verified by Sander Hoentjen

Update PROXY handling by removing Optional processing

Rename RemoteIPProxyProtocolDisableHosts to RemoteIPProxyProtocolExceptions

Fix directive name in 
(s/RemoteIPProxyProtocolDisableNetworks/RemoteIPProxyProtocolExceptions/)

Use cmd->cmd->name instead to be future proof.

XML update plus typo in mod_remoteip.xml.


PROXY protocol proposal corrections

Fix format pattern (%lu => %APR_SIZE_T_FMT).

Detected by maintainer mode compilation and GCC error:

.../modules/metadata/mod_remoteip.c:
In function 'remoteip_input_filter':
.../include/http_log.h:117:33:
error: format '%lu' expects argument of type
'long unsigned int', but argument 8 has type
'apr_size_t {aka unsigned int}' [-Werror=format=]


APR-ize uint types


Submitted by: druggeri, elukey, druggeri, druggeri, druggeri, icing, druggeri, rpluem, druggeri, jorton, jorton, druggeri, druggeri, druggeri, druggeri, jailletc36, lgentis, mrumph, rjung, jim
Reviewed by: druggeri, jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1824248 13f79535-47bb-0310-9956-ffa450edef68
parent 708c0a08

CHANGES

+5 −0
Original line number Diff line number Diff line 
                                                         -*- coding: utf-8 -*-

Changes with Apache 2.4.30



  *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).

     Add ability for PROXY protocol processing to be optional to donated code.

     See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

     [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]



  *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,

     allowing per backend TLS configuration.  [Yann Ylavic]

docs/manual/mod/mod_remoteip.xml

+79 −0
Original line number Diff line number Diff line
@@ -42,6 +42,12 @@ via the request headers. 
    with the useragent IP address reported in the request header configured

    with the <directive module="mod_remoteip">RemoteIPHeader</directive> directive.</p>



    <p>Additionally, this module implements the server side of

    HAProxy's

    <a href="http://blog.haproxy.com/haproxy/proxy-protocol/">PROXY Protocol</a> when

    using the <directive module="mod_remoteip">RemoteIPProxyProtocol</directive>

    directive.</p>



    <p>Once replaced as instructed, this overridden useragent IP address is

    then used for the <module>mod_authz_host</module>

    <directive module="mod_authz_core" name="require">Require ip</directive>
@@ -59,6 +65,7 @@ via the request headers. 
<seealso><module>mod_authz_host</module></seealso>

<seealso><module>mod_status</module></seealso>

<seealso><module>mod_log_config</module></seealso>

<seealso><a href="http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt">Proxy Protocol Spec</a></seealso>



<section id="processing"><title>Remote IP Processing</title>
@@ -211,6 +218,78 @@ RemoteIPProxiesHeader X-Forwarded-By 
</usage>

</directivesynopsis>



<directivesynopsis>

<name>RemoteIPProxyProtocol</name>

<description>Enable or disable PROXY protocol handling</description>

<syntax>RemoteIPProxyProtocol On|Off</syntax>

<contextlist><context>server config</context><context>virtual host</context>

</contextlist>

<compatibility>RemoteIPProxyProtocol is only available in httpd 2.4.28 and newer</compatibility>



<usage>

    <p>The <directive>RemoteIPProxyProtocol</directive> directive enables or 

    disables the reading and handling of the PROXY protocol connection header.

    If enabled with the <code>On</code> flag, the upstream client <em>must</em>

    send the header every time it opens a connection or the connection will

    be aborted unless it is in the list of disabled hosts provided by the

    <directive module="mod_remoteip">RemoteIPProxyProtocolExceptions</directive>

    directive.</p>



    <p>While this directive may be specified in any virtual host, it is

    important to understand that because the PROXY protocol is connection

    based and protocol agnostic, the enabling and disabling is actually based

    on IP address and port. This means that if you have multiple name-based

    virtual hosts for the same host and port, and you enable it for any one of

    them, then it is enabled for all of them (with that host and port). It also

    means that if you attempt to enable the PROXY protocol in one and disable

    in the other, that won't work; in such a case, the last one wins and a

    notice will be logged indicating which setting was being overridden.</p>



    <highlight language="config">

Listen 80

&lt;VirtualHost *:80&gt;

    ServerName www.example.com

    RemoteIPProxyProtocol On



    #Requests to this virtual host must have a PROXY protocol

    # header provided. If it is missing, the connection will

    # be aborted

&lt;/VirtualHost&gt;



Listen 8080

&lt;VirtualHost *:8080&gt;

    ServerName www.example.com

    RemoteIPProxyProtocol On

    RemoteIPProxyProtocolExceptions 127.0.0.1 10.0.0.0/8



    #Requests to this virtual host must have a PROXY protocol

    # header provided. If it is missing, the connection will

    # be aborted except when coming from localhost or the

    # 10.x.x.x RFC1918 range

&lt;/VirtualHost&gt;

    </highlight>

</usage>

</directivesynopsis>



<directivesynopsis>

<name>RemoteIPProxyProtocolExceptions</name>

<description>Disable processing of PROXY header for certain hosts or networks</description>

<syntax>RemoteIPProxyProtocolExceptions host|range [host|range] [host|range]</syntax>

<contextlist><context>server config</context><context>virtual host</context>

</contextlist>

<compatibility>RemoteIPProxyProtocolExceptions is only available in httpd 2.4.28 and newer</compatibility>



<usage>

    <p>The <directive>RemoteIPProxyProtocol</directive> directive enables or

    disables the reading and handling of the PROXY protocol connection header.

    Sometimes it is desirable to require clients to provide the PROXY header, but

    permit other clients to connect without it. This directive allows a server 

    administrator to configure a single host or CIDR range of hosts that may do

    so. This is generally useful for monitoring and administrative traffic to a 

    virtual host direct to the server behind the upstream load balancer.</p>

</usage>

</directivesynopsis>



<directivesynopsis>

<name>RemoteIPTrustedProxy</name>

<description>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</description>

modules/metadata/mod_remoteip.c

+755 −3

File changed.

Preview size limit exceeded, changes collapsed.