--- modules/metadata/mod_remoteip.c Wed Jun 6 21:04:45 2018 +++ modules/metadata/mod_remoteip.c Mon Dec 17 17:50:13 2018 @@ -55,6 +55,11 @@ * (removed as the physical connection and * from the proxy-via IP header value list) */ + const char *header_scheme; + /** A header to record the proxied scheme + * (removed as the physical connection and + * from the proxy-via IP header value list) + */ const char *proxies_header_name; /** A list of trusted proxies, ideally configured * with the most commonly encountered listed first @@ -154,6 +159,7 @@ remoteip_config_t *config = apr_pcalloc(p, sizeof(*config)); config->disabled_subnets = apr_array_make(p, 1, sizeof(apr_ipsubnet_t *)); /* config->header_name = NULL; + * config->header_scheme = NULL; * config->proxies_header_name = NULL; * config->proxy_protocol_enabled = NULL; * config->proxy_protocol_disabled = NULL; @@ -173,6 +179,9 @@ config->header_name = server->header_name ? server->header_name : global->header_name; + config->header_scheme = server->header_scheme + ? server->header_scheme + : global->header_scheme; config->proxies_header_name = server->proxies_header_name ? server->proxies_header_name : global->proxies_header_name; @@ -191,6 +200,15 @@ return NULL; } +static const char *scheme_name_set(cmd_parms *cmd, void *dummy, + const char *arg) +{ + remoteip_config_t *config = ap_get_module_config(cmd->server->module_config, + &remoteip_module); + config->header_scheme = arg; + return NULL; +} + static const char *proxies_header_name_set(cmd_parms *cmd, void *dummy, const char *arg) { @@ -529,6 +547,7 @@ apr_status_t rv; char *remote; + char *scheme; char *proxy_ips = NULL; char *parse_remote; char *eos; @@ -739,6 +758,11 @@ r->useragent_addr = req->useragent_addr; r->useragent_ip = req->useragent_ip; + if (config->header_name) { + scheme = (char *) apr_table_get(r->headers_in, config->header_scheme); + if (scheme && strcmp(scheme, "https") == 0) + r->server->server_scheme = scheme; + } ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, req->proxy_ips @@ -1199,6 +1223,9 @@ AP_INIT_TAKE1("RemoteIPHeader", header_name_set, NULL, RSRC_CONF, "Specifies a request header to trust as the client IP, " "e.g. X-Forwarded-For"), + AP_INIT_TAKE1("RemoteIPProtoHeader", scheme_name_set, NULL, RSRC_CONF, + "Specifies a request header to trust as the client scheme, " + "e.g. X-Forwarded-Proto"), AP_INIT_TAKE1("RemoteIPProxiesHeader", proxies_header_name_set, NULL, RSRC_CONF, "Specifies a request header to record proxy IP's, " --- docs/manual/mod/mod_remoteip.xml (revision 1849285) +++ docs/manual/mod/mod_remoteip.xml (working copy) @@ -123,7 +123,6 @@ RemoteIPTrustedProxy directives. Unless these other directives are used, mod_remoteip will trust all hosts presenting a RemoteIPHeader IP value.

- Internal (Load Balancer) Example RemoteIPHeader X-Client-IP @@ -139,6 +138,36 @@ +RemoteIPProtoHeader +Declare the header field which should be parsed for useragent protocol used +RemoteIPProtoHeader scheme-header-field +server configvirtual host + + +

The RemoteIPProtoHeader directive triggers + mod_remoteip to treat the value of the specified + scheme-header-field header as the useragent protocol used, + subject to further configuration + of the RemoteIPInternalProxy and + RemoteIPTrustedProxy directives. Unless these + other directives are used, mod_remoteip will trust all + hosts presenting a RemoteIPProtoHeader protocol value. + The only valid value for the RemoteIPProtoHeader header is "https".

+ Internal (Load Balancer) Example + + RemoteIPProtoHeader X-Client-Proto + + + + Proxy Example + + RemoteIPProtoHeader X-Forwarded-Proto + + + + + + RemoteIPInternalProxy Declare client intranet IP addresses trusted to present the RemoteIPHeader value RemoteIPInternalProxy proxy-ip|proxy-ip/subnet|hostname ...