<li>Modules that load other modules later than the EXEC_ON_READ config
reading stage need to call ap_reserve_module_slots() or
ap_reserve_module_slots_directive() in their pre_config hook.</li>
- <li>The client IP address per request can now be specified independently
- of the peer IP address of the connection for the benefit of load
- balancers</li>
+ <li>The useragent IP address per request can now be specified
+ independently of the client IP address of the connection for
+ the benefit of load balancers</li>
</ul>
</section>
<dd>This has been renamed to ap_unixd_config.</dd>
<dt><code>conn_rec->remote_ip and conn_rec->remote_addr</code></dt>
- <dd>In order to distinguish between the peer IP address of the
- connection, and the client IP address of the request potentially
+ <dd>In order to distinguish between the client IP address of the
+ connection, and the useragent IP address of the request potentially
overridden by a load balancer or proxy, the above variables have
been renamed. If a module makes reference to either of the above
variables, they need to be replaced with one of the following two
separated from the server by a transparent load balancer or
proxy, use request_rec->useragent_ip and
request_rec->useragent_addr.</li>
- <li>When you require the IP address of the peer that is
- connected directly to the server, which might be the client or
+ <li>When you require the IP address of the client that is
+ connected directly to the server, which might be the useragent or
might be the load balancer or proxy itself, use
- conn_rec->peer_ip and conn_rec->peer_addr.</li>
+ conn_rec->client_ip and conn_rec->client_addr.</li>
</ul>
</dd>
</dl>
<modulesynopsis metafile="mod_remoteip.xml.meta">
<name>mod_remoteip</name>
-<description>Replaces the original peer IP address for the connection
-with the client IP address list presented by a proxies or a load balancer
+<description>Replaces the original client IP address for the connection
+with the useragent IP address list presented by a proxies or a load balancer
via the request headers.
</description>
<identifier>remoteip_module</identifier>
<summary>
- <p>This module is used to treat the client which initiated the
- request as the originating client as identified by httpd for the
- purposes of authorization and logging, even where that client is
+ <p>This module is used to treat the useragent which initiated the
+ request as the originating useragent as identified by httpd for the
+ purposes of authorization and logging, even where that useragent is
behind a load balancer, front end server, or proxy server.</p>
- <p>The module overrides the peer IP address for the connection
- with the client IP address reported in the request header configured
+ <p>The module overrides the client IP address for the connection
+ with the useragent IP address reported in the request header configured
with the <directive>RemoteIPHeader</directive> directive.</p>
- <p>Once replaced as instructed, this overridden client IP address is
+ <p>Once replaced as instructed, this overridden useragent IP address is
then used for the <module>mod_authz_host</module>
<directive module="mod_authz_host" type="section">Require ip</directive>
feature, is reported by <module>mod_status</module>, and is recorded by
<module>mod_log_config</module> <code>%a</code> and <module>core</module>
- <code>%a</code> format strings. The underlying peer IP of the connection
+ <code>%a</code> format strings. The underlying client IP of the connection
is available in the <code>%{c}a</code> format string.</p>
<note type="warning">It is critical to only enable this behavior from
intermediate hosts (proxies, etc) which are trusted by this server, since
- it is trivial for the remote client to impersonate another client.</note>
+ it is trivial for the remote useragent to impersonate another
+ useragent.</note>
</summary>
<seealso><module>mod_authz_host</module></seealso>
<section id="processing"><title>Remote IP Processing</title>
- <p>Apache by default identifies the client with the connection's
- peer_ip value, and the connection remote_host and remote_logname are
+ <p>Apache by default identifies the useragent with the connection's
+ client_ip value, and the connection remote_host and remote_logname are
derived from this value. These fields play a role in authentication,
authorization and logging and other purposes by other loadable
modules.</p>
- <p>mod_remoteip overrides the peer IP of the connection with the
- advertised client IP as provided by a proxy or load balancer, for
+ <p>mod_remoteip overrides the client IP of the connection with the
+ advertised useragent IP as provided by a proxy or load balancer, for
the duration of the request. A load balancer might establish a long
lived keepalive connection with the server, and each request will
- have the correct client IP, even though the underlying peer IP
+ have the correct useragent IP, even though the underlying client IP
address of the load balancer remains unchanged.</p>
- <p>When multiple, comma delimited client IP addresses are listed in the
+ <p>When multiple, comma delimited useragent IP addresses are listed in the
header value, they are processed in Right-to-Left order. Processing
- halts when a given client IP address is not trusted to present the
+ halts when a given useragent IP address is not trusted to present the
preceding IP address. The header field is updated to this remaining
list of unconfirmed IP addresses, or if all IP addresses were trusted,
this header is removed from the request altogether.</p>
<directivesynopsis>
<name>RemoteIPHeader</name>
-<description>Declare the header field which should be parsed for client IP addresses</description>
+<description>Declare the header field which should be parsed for useragent IP addresses</description>
<syntax>RemoteIPHeader <var>header-field</var></syntax>
<contextlist><context>server config</context><context>virtual host</context></contextlist>
<usage>
<p>The <directive>RemoteIPHeader</directive> directive triggers
<module>mod_remoteip</module> to treat the value of the specified
- <var>header-field</var> header as the client IP address, or list
- of intermediate client IP addresses, subject to further configuration
+ <var>header-field</var> header as the useragent IP address, or list
+ of intermediate useragent IP addresses, subject to further configuration
of the <directive>RemoteIPInternalProxy</directive> and
<directive>RemoteIPTrustedProxy</directive> directives. Unless these
other directives are used, <module>mod_remoteip</module> will trust all
<usage>
<p>The <directive>RemoteIPInternalProxy</directive> directive adds one
or more addresses (or address blocks) to trust as presenting a valid
- RemoteIPHeader value of the client IP. Unlike the
+ RemoteIPHeader value of the useragent IP. Unlike the
<directive>RemoteIPTrustedProxy</directive> directive, any IP address
presented in this header, including private intranet addresses, are
trusted when passed from these proxies.</p>
<usage>
<p>The <directive>RemoteIPInternalProxyList</directive> directive specifies
a file parsed at startup, and builds a list of addresses (or address blocks)
- to trust as presenting a valid RemoteIPHeader value of the client IP.</p>
+ to trust as presenting a valid RemoteIPHeader value of the useragent IP.</p>
<p>The '<code>#</code>' hash character designates a comment line, otherwise
each whitespace or newline separated entry is processed identically to
<usage>
<p>The <directive>RemoteIPProxiesHeader</directive> directive specifies
a header into which <module>mod_remoteip</module> will collect a list of
- all of the intermediate client IP addresses trusted to resolve the client
+ all of the intermediate client IP addresses trusted to resolve the useragent
IP of the request. Note that intermediate
<directive>RemoteIPTrustedProxy</directive> addresses are recorded in
this header, while any intermediate
<usage>
<p>The <directive>RemoteIPTrustedProxy</directive> directive adds one
or more addresses (or address blocks) to trust as presenting a valid
- RemoteIPHeader value of the client IP. Unlike the
+ RemoteIPHeader value of the useragent IP. Unlike the
<directive>RemoteIPInternalProxy</directive> directive, any intranet
or private IP address reported by such proxies, including the 10/8, 172.16/12,
192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public
- 2000::/3 block) are not trusted as the client IP, and are left in the
+ 2000::/3 block) are not trusted as the useragent IP, and are left in the
<directive>RemoteIPHeader</directive> header's value.</p>
<example><title>Trusted (Load Balancer) Example</title>
<usage>
<p>The <directive>RemoteIPTrustedProxyList</directive> directive specifies
a file parsed at startup, and builds a list of addresses (or address blocks)
- to trust as presenting a valid RemoteIPHeader value of the client IP.</p>
+ to trust as presenting a valid RemoteIPHeader value of the useragent IP.</p>
<p>The '<code>#</code>' hash character designates a comment line, otherwise
each whitespace or newline seperated entry is processed identically to
/** local address */
apr_sockaddr_t *local_addr;
/** remote address */
- apr_sockaddr_t *peer_addr;
+ apr_sockaddr_t *client_addr;
/** Client's IP address */
- char *peer_ip;
+ char *client_ip;
/** Client's DNS name, if known. NULL if DNS hasn't been checked,
* "" if it has and no address was found. N.B. Only access this though
* get_remote_host() */
buf[len] = '\0';
tbl = apr_table_make(r->pool, 10);
qs_to_table(buf, tbl, r->pool);
- apr_sockaddr_ip_get(&ip, r->connection->peer_addr);
+ apr_sockaddr_ip_get(&ip, r->connection->client_addr);
hmserver.ip = ip;
hmserver.port = 80;
if (apr_table_get(tbl, "port") != NULL)
if (!APR_STATUS_IS_EOF(rv) && ! APR_STATUS_IS_TIMEUP(rv))
ap_log_error(APLOG_MARK, APLOG_INFO, rv, c->base_server, APLOGNO(01611)
"ProtocolEcho: Failure reading from %s",
- c->peer_ip);
+ c->client_ip);
break;
}
apr_brigade_cleanup(bb);
ap_log_error(APLOG_MARK, APLOG_INFO, rv, c->base_server, APLOGNO(01612)
"ProtocolEcho: Error - read empty brigade from %s!",
- c->peer_ip);
+ c->client_ip);
break;
}
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_INFO, rv, c->base_server, APLOGNO(01613)
"ProtocolEcho: Failure writing to %s",
- c->peer_ip);
+ c->client_ip);
break;
}
apr_brigade_cleanup(bb);
/* check the IP is not banned */
shm_rec = apr_shm_baseaddr_get(shm);
while (shm_rec[0] != '\0') {
- if (!strcmp(shm_rec, conn->peer_ip)) {
+ if (!strcmp(shm_rec, conn->client_ip)) {
apr_socket_t *csd = ap_get_conn_socket(conn);
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, APLOGNO(02059)
"Dropping connection from banned IP %s",
- conn->peer_ip);
+ conn->client_ip);
apr_socket_close(csd);
return DONE;
static const char *log_remote_address(request_rec *r, char *a)
{
if (a && !strcmp(a, "c")) {
- return r->connection->peer_ip;
+ return r->connection->client_ip;
}
else {
return r->useragent_ip;
ap_lua_push_apr_table(L, c->notes);
lua_setfield(L, -2, "notes");
- lua_pushstring(L, c->peer_ip);
+ lua_pushstring(L, c->client_ip);
lua_setfield(L, -2, "remote_ip");
lua_pop(L, 1);
return rv;
}
- if ((rv = apr_sockaddr_info_get(&destsa, conn->peer_ip,
+ if ((rv = apr_sockaddr_info_get(&destsa, conn->client_ip,
localsa->family, /* has to match */
RFC1413_PORT, 0, conn->pool)) != APR_SUCCESS) {
/* This should not fail since we have a numeric address string
* as the host. */
ap_log_error(APLOG_MARK, APLOG_CRIT, rv, srv, APLOGNO(01493)
"rfc1413: apr_sockaddr_info_get(%s) failed",
- conn->peer_ip);
+ conn->client_ip);
return rv;
}
apr_size_t buflen;
sav_our_port = conn->local_addr->port;
- sav_rmt_port = conn->peer_addr->port;
+ sav_rmt_port = conn->client_addr->port;
/* send the data */
buflen = apr_snprintf(buffer, sizeof(buffer), "%hu,%hu\r\n", sav_rmt_port,
}
remote = apr_pstrdup(r->pool, remote);
- temp_sa = c->peer_addr;
+ temp_sa = c->client_addr;
while (remote) {
- /* verify c->peer_addr is trusted if there is a trusted proxy list
+ /* verify c->client_addr is trusted if there is a trusted proxy list
*/
if (config->proxymatch_ip) {
int i;
remoteip_proxymatch_t *match;
match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
- if (apr_ipsubnet_test(match[i].ip, c->peer_addr)) {
+ if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
internal = match[i].internal;
break;
}
req = (remoteip_req_t *) apr_palloc(r->pool, sizeof(remoteip_req_t));
}
- /* Set peer_ip string */
+ /* Set useragent_ip string */
if (!internal) {
if (proxy_ips) {
proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ",
- c->peer_ip, NULL);
+ c->client_ip, NULL);
}
else {
- proxy_ips = c->peer_ip;
+ proxy_ips = c->client_ip;
}
}
if (bytes_streamed != cl_val) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01087)
"client %s given Content-Length did not match"
- " number of body bytes read", r->connection->peer_ip);
+ " number of body bytes read", r->connection->client_ip);
return HTTP_BAD_REQUEST;
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01094)
"client %s (%s) requested Transfer-Encoding "
"chunked body with Content-Length (C-L ignored)",
- c->peer_ip, c->remote_host ? c->remote_host: "");
+ c->client_ip, c->remote_host ? c->remote_host: "");
apr_table_unset(r->headers_in, "Content-Length");
old_cl_val = NULL;
origin->keepalive = AP_CONN_CLOSE;
"prefetch request body failed to %pI (%s)"
" from %s (%s)",
p_conn->addr, p_conn->hostname ? p_conn->hostname: "",
- c->peer_ip, c->remote_host ? c->remote_host: "");
+ c->client_ip, c->remote_host ? c->remote_host: "");
return HTTP_BAD_REQUEST;
}
"processing prefetched request body failed"
" to %pI (%s) from %s (%s)",
p_conn->addr, p_conn->hostname ? p_conn->hostname: "",
- c->peer_ip, c->remote_host ? c->remote_host: "");
+ c->client_ip, c->remote_host ? c->remote_host: "");
return HTTP_INTERNAL_SERVER_ERROR;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01097)
"pass request body failed to %pI (%s) from %s (%s)",
p_conn->addr, p_conn->hostname ? p_conn->hostname: "",
- c->peer_ip, c->remote_host ? c->remote_host: "");
+ c->client_ip, c->remote_host ? c->remote_host: "");
return rv;
}
rp->input_filters = c->input_filters;
rp->proto_output_filters = c->output_filters;
rp->proto_input_filters = c->input_filters;
- rp->useragent_ip = c->peer_ip;
- rp->useragent_addr = c->peer_addr;
+ rp->useragent_ip = c->client_ip;
+ rp->useragent_addr = c->client_addr;
rp->request_config = ap_create_request_config(pool);
proxy_run_create_req(r, rp);
rv = apr_sockaddr_info_get(&sa, conn->remote_host, APR_UNSPEC, 0, 0, conn->pool);
if (rv == APR_SUCCESS) {
while (sa) {
- if (apr_sockaddr_equal(sa, conn->peer_addr)) {
+ if (apr_sockaddr_equal(sa, conn->client_addr)) {
conn->double_reverse = 1;
return;
}
&& (type == REMOTE_DOUBLE_REV
|| hostname_lookups != HOSTNAME_LOOKUP_OFF)) {
- if (apr_getnameinfo(&conn->remote_host, conn->peer_addr, 0)
+ if (apr_getnameinfo(&conn->remote_host, conn->client_addr, 0)
== APR_SUCCESS) {
ap_str_tolower(conn->remote_host);
}
else {
*str_is_ip = 1;
- return conn->peer_ip;
+ return conn->client_ip;
}
}
}
}
apr_sockaddr_ip_get(&c->local_ip, c->local_addr);
- if ((rv = apr_socket_addr_get(&c->peer_addr, APR_REMOTE, csd))
+ if ((rv = apr_socket_addr_get(&c->client_addr, APR_REMOTE, csd))
!= APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_INFO, rv, server, APLOGNO(00138)
"apr_socket_addr_get(APR_REMOTE)");
return NULL;
}
- apr_sockaddr_ip_get(&c->peer_ip, c->peer_addr);
+ apr_sockaddr_ip_get(&c->client_ip, c->client_addr);
c->base_server = server;
c->id = id;
return apr_snprintf(buf, buflen, "%s:%d", info->r->useragent_ip,
info->r->useragent_addr->port);
else if (info->c)
- return apr_snprintf(buf, buflen, "%s:%d", info->c->peer_ip,
- info->c->peer_addr->port);
+ return apr_snprintf(buf, buflen, "%s:%d", info->c->client_ip,
+ info->c->client_addr->port);
else
return 0;
}
}
/*
- * useragent_ip/peer_ip can be client or backend server. If we have
+ * useragent_ip/client_ip can be client or backend server. If we have
* a scoreboard handle, it is likely a client.
*/
if (info->r) {
else if (info->c) {
len += apr_snprintf(buf + len, buflen - len,
info->c->sbh ? "[client %s:%d] " : "[remote %s:%d] ",
- info->c->peer_ip, info->c->peer_addr->port);
+ info->c->client_ip, info->c->client_addr->port);
}
/* the actual error message */
*/
r->used_path_info = AP_REQ_DEFAULT_PATH_INFO;
- r->useragent_addr = conn->peer_addr;
- r->useragent_ip = conn->peer_ip;
+ r->useragent_addr = conn->client_addr;
+ r->useragent_ip = conn->client_ip;
tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
case 1:
#if APR_HAVE_IPV6
{
- apr_sockaddr_t *addr = c->peer_addr;
+ apr_sockaddr_t *addr = c->client_addr;
if (addr->family == AF_INET6
&& !IN6_IS_ADDR_V4MAPPED((struct in6_addr *)addr->ipaddr_ptr))
return "on";
case 2:
return c->log_id;
case 3:
- return c->peer_ip;
+ return c->client_ip;
default:
ap_assert(0);
return NULL;
apr_table_addn(e, "SERVER_ADMIN", s->server_admin); /* Apache */
apr_table_addn(e, "SCRIPT_FILENAME", r->filename); /* Apache */
- rport = c->peer_addr->port;
+ rport = c->client_addr->port;
apr_table_addn(e, "REMOTE_PORT", apr_itoa(r->pool, rport));
if (r->user) {
projects / apache / commitdiff