|Summary:||Implement Forwarded header (RFC 7239) in mod_remoteip|
|Product:||Apache httpd-2||Reporter:||Dan Ramaley <daniel.ramaley>|
|Component:||mod_remoteip||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description Dan Ramaley 2018-05-15 20:54:26 UTC
Would it be difficult to add support for the standard Forwarded header, as defined by RFC 7239?
Comment 1 William A. Rowe Jr. 2018-05-16 17:29:17 UTC
Patches are welcome. The largest headache is unwinding Forwarded and X-F-F where they coexist during any transition between the old and new behavior. This is my analysis documented in the thread to help anyone get started; https://lists.apache.org/thread.html/9887a4bb16dc09221996ff36e1dc65aa17353f634533c216626c4f7b%40%3Cdev.httpd.apache.org%3E So I was unspooling how we would handle stacked variables. Any PROXY protocol is the nearest hop; if multiple PROXY protocol header lines occurred, the closest would be transmitted first, etc. All local x-remoteip style values would be the next most distant hop; very similar to the haproxy protocol, it indicates some absolutely trusted edge router/balancer. Any x-f-f that occurs would reflect all the next most distant hops. Finally, any 'Forwarded' header (rfc7239) are the most distant hops. I'm basing that conclusion on the fact that all 'Forwarded'-aware intermediaries which construct a 'Forwarded' header would not carry the x-f-f, but concatenate these as closer than the nearest 'Forwarded'-aware hop. So the presence of an x-f-f header indicates the presence of a 'Forwarded'-unaware agent between this incoming connection and the closest 'Forwarded'-aware agent. I'm not suggesting these two enhancements, PROXY and RFC7239 are intertwined, we can certainly ship them in different releases, but I was having problems working out X-F-F vs Forwarded until I was working through the PROXY logic and came to the conclusion above, and am looking for others to sanity-check my logic on this.