mirror of
https://github.com/apache/httpd.git
synced 2025-07-25 17:01:22 +00:00
PROXY protocol proposal corrections
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1806985 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Mike Rumph
@ -65,7 +65,7 @@ via the request headers.
|
||||
<seealso><module>mod_authz_host</module></seealso>
|
||||
<seealso><module>mod_status</module></seealso>
|
||||
<seealso><module>mod_log_config</module></seealso>
|
||||
<seealso><a href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt">Proxy Protocol Spec</a></seealso>
|
||||
<seealso><a href="http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt">Proxy Protocol Spec</a></seealso>
|
||||
|
||||
<section id="processing"><title>Remote IP Processing</title>
|
||||
|
||||
@ -227,25 +227,25 @@ RemoteIPProxiesHeader X-Forwarded-By
|
||||
<syntax>RemoteIPProxyProtocol On|Off</syntax>
|
||||
<contextlist><context>server config</context><context>virtual host</context>
|
||||
</contextlist>
|
||||
<compatibility>RemoteIPProxyProtocol is only available in httpd 2.4.26 and newer</compatibility>
|
||||
<compatibility>RemoteIPProxyProtocol is only available in httpd 2.4.28 and newer</compatibility>
|
||||
|
||||
<usage>
|
||||
<p>The <directive>RemoteIPProxyProtocol</directive> directive enables or
|
||||
disables the reading and handling of the PROXY protocol connection header.
|
||||
If enabled with the <code>On</code> flag, the upstream client <em>must</em>
|
||||
send the header every time it opens a connection or the connection will
|
||||
be aborted unless it is in the list of disabled hosts provided by <directive
|
||||
module="mod_remoteip">RemoteIPProxyProtocolExceptions</directive>
|
||||
be aborted unless it is in the list of disabled hosts provided by the
|
||||
<directive module="mod_remoteip">RemoteIPProxyProtocolExceptions</directive>
|
||||
directive.</p>
|
||||
|
||||
<p>While this directive may be specified in any virtual host, it is
|
||||
important to understand that because the PROXY protocol is connection
|
||||
based and protocol agnostic, the enabling and disabling is actually based
|
||||
on ip-address and port. This means that if you have multiple name-based
|
||||
virtual hosts for the same host and port, and you enable it any one of
|
||||
them, then it is enabled for all them (with that host and port). It also
|
||||
on IP address and port. This means that if you have multiple name-based
|
||||
virtual hosts for the same host and port, and you enable it for any one of
|
||||
them, then it is enabled for all of them (with that host and port). It also
|
||||
means that if you attempt to enable the PROXY protocol in one and disable
|
||||
in the other, that won't work; in such a case the last one wins and a
|
||||
in the other, that won't work; in such a case, the last one wins and a
|
||||
notice will be logged indicating which setting was being overridden.</p>
|
||||
|
||||
<highlight language="config">
|
||||
@ -280,7 +280,7 @@ Listen 8080
|
||||
<syntax>RemoteIPProxyProtocolExceptions host|range [host|range] [host|range]</syntax>
|
||||
<contextlist><context>server config</context><context>virtual host</context>
|
||||
</contextlist>
|
||||
<compatibility>RemoteIPProxyProtocolExceptions is only available in httpd 2.4.26 and newer</compatibility>
|
||||
<compatibility>RemoteIPProxyProtocolExceptions is only available in httpd 2.4.28 and newer</compatibility>
|
||||
|
||||
<usage>
|
||||
<p>The <directive>RemoteIPProxyProtocol</directive> directive enables or
|
||||
|
||||
@ -133,11 +133,10 @@ typedef struct {
|
||||
int version;
|
||||
ap_input_mode_t mode;
|
||||
apr_bucket_brigade *bb;
|
||||
int peeking;
|
||||
int done;
|
||||
} remoteip_filter_context;
|
||||
|
||||
/** Holds the resolved proxy info for this connection and any addition
|
||||
/** Holds the resolved proxy info for this connection and any additional
|
||||
configurable parameters
|
||||
*/
|
||||
typedef struct {
|
||||
@ -309,13 +308,13 @@ static const char *proxylist_read(cmd_parms *cmd, void *cfg,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/** Similar apr_sockaddr_equal, except that it compares ports too. */
|
||||
/** Similar to apr_sockaddr_equal, except that it compares ports too. */
|
||||
static int remoteip_sockaddr_equal(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2)
|
||||
{
|
||||
return (addr1->port == addr2->port && apr_sockaddr_equal(addr1, addr2));
|
||||
}
|
||||
|
||||
/** Similar remoteip_sockaddr_equal, except that it handles wildcard addresses
|
||||
/** Similar to remoteip_sockaddr_equal, except that it handles wildcard addresses
|
||||
* and ports too.
|
||||
*/
|
||||
static int remoteip_sockaddr_compat(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2)
|
||||
@ -793,8 +792,7 @@ static remoteip_parse_status_t remoteip_process_v1_header(conn_rec *c,
|
||||
valid_addr_chars = "0123456789abcdefABCDEF:";
|
||||
#else
|
||||
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03498)
|
||||
"RemoteIPProxyProtocol: Unable to parse v6 address - APR is not compiled with IPv6 support",
|
||||
word, hdr->v1.line);
|
||||
"RemoteIPProxyProtocol: Unable to parse v6 address - APR is not compiled with IPv6 support");
|
||||
return HDR_ERROR;
|
||||
#endif
|
||||
}
|
||||
@ -1190,7 +1188,7 @@ static const command_rec remoteip_cmds[] =
|
||||
"The filename to read the list of internal proxies, "
|
||||
"see the RemoteIPInternalProxy directive"),
|
||||
AP_INIT_FLAG("RemoteIPProxyProtocol", remoteip_enable_proxy_protocol, NULL,
|
||||
RSRC_CONF, "Enable PROXY protocol handling (`on', `off')"),
|
||||
RSRC_CONF, "Enable PROXY protocol handling ('on', 'off')"),
|
||||
AP_INIT_TAKE_ARGV("RemoteIPProxyProtocolExceptions",
|
||||
remoteip_disable_networks, NULL, RSRC_CONF, "Disable PROXY "
|
||||
"protocol handling for this list of networks in CIDR format"),
|
||||
|
||||
Reference in New Issue
Block a user