Annotation of embedaddon/lighttpd/doc/outdated/extforward.txt, revision 1.1.1.1
1.1 misho 1: ==============
2: mod_extforward
3: ==============
4:
5: .. contents::
6:
7: Overview
8: ========
9:
10: Comman Kang <comman.kang at gmail.com> sent me: ::
11:
12: Hello jan.
13:
14: I've made something rough but similar to mod_extract_forwarded for
15: Apache. This module will extract the client's "real" ip from
16: X-Forwarded-For header which is added by squid or other proxies. It might be
17: useful for servers behind reverse proxy servers.
18:
19: However, this module is causing segfault with mod_ssl or
20: $HTTP{''socket"} directive, crashing in config_check_cond while patching
21: connection , I do not understand architecture of the lighttpd well, does it
22: need to call patch_connection in either handle_request_done and
23: connection_reset ?
24:
25: Lionel Elie Mamane <lionel@mamane.lu> improved the patch: ::
26:
27: I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've
28: extended it. Here is the result.
29:
30: Major changes:
31:
32: - IPv6 support
33:
34: - Fixed at least one segfault with SERVER['socket']
35:
36: - Arrange things so that a url.access-deny under scope of a
37: HTTP['remoteip'] condition works well :)
38:
39: I've commented the code in some places, mostly where I wasn't sure
40: what was going on, or I didn't see what the original author meant to
41: do.
42:
43: Options
44: =======
45:
46: extforward.forwarder
47: Sets trust level of proxy IP's.
48:
49: Default: empty
50:
51: Example: ::
52:
53: extforward.forwarder = ("10.0.0.232" => "trust")
54:
55: will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from "X-Forwarded-For" or "Forwarded-For" HTTP request header.
56:
57: extforward.headers
58: Sets headers to search for finding the originl addresses.
59:
60: Example (for use with a Zeus ZXTM loadbalancer): ::
61:
62: extforward.headers = ("X-Cluster-Client-Ip")
63:
64: Default: empty, results in searching for "X-Forwarded-For" and "Forwarded-For"
65:
66: Note
67: =======
68:
69: The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions.
70: Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
71: Things done in between these two moments will match on the real client's IP.
72: The moment things are done by a module depends on in which hook it does things and within the same hook
73: on whether they are before/after us in the module loading order
74: (order in the server.modules directive in the config file).
75:
76: Tested behaviours:
77:
78: mod_access: Will match on the real client.
79:
80: mod_accesslog:
81: In order to see the "real" ip address in access log ,
82: you'll have to load mod_extforward after mod_accesslog.
83: like this: ::
84:
85: server.modules = (
86: .....
87: mod_accesslog,
88: mod_extforward
89: )
90:
91: Samples
92: =======
93:
94: Trust proxy 10.0.0.232 and 10.0.0.232 ::
95:
96: extforward.forwarder = (
97: "10.0.0.232" => "trust",
98: "10.0.0.233" => "trust",
99: )
100:
101: Trust all proxies (NOT RECOMMENDED!) ::
102:
103: extforward.forwarder = ( "all" => "trust")
104:
105: Note that "all" has precedence over specific entries, so "all except" setups will not work.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to extforward.txt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / lighttpd / doc / outdated