Re: [users@httpd] mod_proxy / mod_rewrite: Passing remote IP address to internal server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/15/05, David Adam <zanchey@xxxxxxxxxxxxxxxxx> wrote:
> (You're probably not going to like this answer - all I can say is that I'm
> sorry, I'm not an Apache developer and I'm not a mod_rewrite guru. Nor do
> I manage more than about fifty users with CGI web pages, and our attitude
> to them is very much 'if it breaks, fix it yourself'.)
> 
> From what I understand of CGI, it is difficult do this. The
> REMOTE_ADDR variable is set on the receiving (internal) server - you'll
> have to override it from there.
> 
> You might want to examine:
> - mod_rewrite on the internal servers - I don't know enough about
> mod_rewrite to be able to tell you if (and how) it can change local CGI
> variables.

This won't, in general, work.  The CGI environment variables are set
at the last minute before launching CGI scripts and hence can't be
overriden in the apache configuration.

> 
> - writing some evil wrapper that rearranges - for example, replacing your
> PERL/Python/whatever executables with a shell script that tests for the
> presence of X_FORWARDED_FOR and replaces REMOTE_ADDR with its contents. Be
> careful with this - X_FORWARDED_FOR does -not- have the same semantics as
> REMOTE_ADDR (see what happens when you pass through two proxy servers, for
> example).
> 
> - sed s/REMOTE_ADDR/HTTP_X_FORWARDED_FOR/g and warning your
> customers! There are bucketloads of examples for detecting and fixing
> proxy headers

Both good suggestions.

The only other suggestion is to write an apache module that modifies
the internal apache request structure to replace the address.  This
wouldn't be too difficult (and I think such a module already exists
for 1.3 but not for 2.1), but you would need to be extremely careful
not to mess up the security of your server.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux