Bug 57085 - Implement Proxy Protocol in httpd
Summary: Implement Proxy Protocol in httpd
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement with 9 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-14 00:30 UTC by etienne_grignon
Modified: 2018-06-01 05:19 UTC (History)
2 users (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description etienne_grignon 2014-10-14 00:30:46 UTC 
Hello,

I would be interested to have Proxy Protocol implemented in httpd.

Nginx 1.5.2 and haproxy 1.5 already have support for it.

The read feature would be a good start. This would allow apache to get the client IP when being used behind an AWS ELB with apache httpd terminating SSL.

http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
https://wiki.bedis.eu/nginx/nginx_proxy_protocol_patch
http://trac.nginx.org/nginx/changeset/3a72b1805c52c84a5567dcfa4562f44722bede40/nginx

Thank you,

Etienne Grignon
Comment 1 Guillermo Grandes 2014-12-09 22:24:12 UTC 
There is my implementation (for Apache 2.2 and 2.4):

The source code (beta) is Hosted in Github and licensed under Apache 2.0 License.

Module for Apache 2.4: http://goo.gl/ThoZXN
Module for Apache 2.2: http://goo.gl/pxsCVm

Original Article:
http://wp.me/p19O7G-na
Comment 2 ywu 2014-12-09 23:38:31 UTC 
I have implemented a similar module under testing for appache 2.4, following ngix's patch. I am curious why your code didn't put source ip from proxy protocol line into c->client_ip and c->client_addr (your code use c->notes to store client_ip)?  You threw away destination_ip from protocol line now. Do you have plan to use it, which my current effort to integrate it with apache mod_proxy?
Comment 3 ywu 2014-12-09 23:41:46 UTC 
Someone posted a basic implementation for this in apache today, which is roughly the same as I have done. So thr solution is correct so far. Posted one supported only IPV4 for logging ip address. But it put in lot of security check of source ip addresses.
Comment 4 ywu 2014-12-09 23:45:30 UTC 
please ignore or delete this comment.
Comment 5 Guillermo Grandes 2014-12-10 00:26:12 UTC 
(In reply to ywu from comment #2)
> I have implemented a similar module under testing for appache 2.4, following
> ngix's patch. I am curious why your code didn't put source ip from proxy
> protocol line into c->client_ip and c->client_addr (your code use c->notes
> to store client_ip)?  You threw away destination_ip from protocol line now.
> Do you have plan to use it, which my current effort to integrate it with
> apache mod_proxy?

Yes, I dont touch c->client_ip in 2.4 module, I use r->useragent_ip (that is not available in connection_filter, until post_read) because... I read the change in API (http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html), that say (about c->remote_ip):

>> 1) When you require the IP address of the user agent, which might be connected directly to the server, or might optionally be separated from the server by a transparent load balancer or proxy, use request_rec->useragent_ip and request_rec->useragent_addr.
>> 2) When you require the IP address of the client that is connected directly to the server, which might be the useragent or might be the load balancer or proxy itself, use conn_rec->client_ip and conn_rec->client_addr.

This seems that usage of c->client_ip is not the good way for PROXY protocol.
Comment 6 Christophe JAILLET 2018-06-01 05:18:59 UTC 
An implementation of the HA Proxy protocol is available in Apache since 2.4.30.

Changelog entry:
  *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
     Add ability for PROXY protocol processing to be optional to donated code.
     See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
     [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]