| Summary: | Implement Forwarded header (RFC 7239) in mod_remoteip | ||
|---|---|---|---|
| Product: | Apache httpd-2 | Reporter: | Dan Ramaley <daniel.ramaley> |
| Component: | mod_remoteip | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
| Status: | NEW --- | ||
| Severity: | enhancement | CC: | dan, jay |
| Priority: | P2 | ||
| Version: | 2.5-HEAD | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Linux | ||
|
Description
Dan Ramaley
2018-05-15 20:54:26 UTC
Patches are welcome. The largest headache is unwinding Forwarded and X-F-F where they coexist during any transition between the old and new behavior. This is my analysis documented in the thread to help anyone get started; https://lists.apache.org/thread.html/9887a4bb16dc09221996ff36e1dc65aa17353f634533c216626c4f7b%40%3Cdev.httpd.apache.org%3E So I was unspooling how we would handle stacked variables. Any PROXY protocol is the nearest hop; if multiple PROXY protocol header lines occurred, the closest would be transmitted first, etc. All local x-remoteip style values would be the next most distant hop; very similar to the haproxy protocol, it indicates some absolutely trusted edge router/balancer. Any x-f-f that occurs would reflect all the next most distant hops. Finally, any 'Forwarded' header (rfc7239) are the most distant hops. I'm basing that conclusion on the fact that all 'Forwarded'-aware intermediaries which construct a 'Forwarded' header would not carry the x-f-f, but concatenate these as closer than the nearest 'Forwarded'-aware hop. So the presence of an x-f-f header indicates the presence of a 'Forwarded'-unaware agent between this incoming connection and the closest 'Forwarded'-aware agent. I'm not suggesting these two enhancements, PROXY and RFC7239 are intertwined, we can certainly ship them in different releases, but I was having problems working out X-F-F vs Forwarded until I was working through the PROXY logic and came to the conclusion above, and am looking for others to sanity-check my logic on this. |