From 178449b8ccebe2892cbc9e7b0136bdda3c7a4a6e Mon Sep 17 00:00:00 2001 From: Mike Rumph Date: Fri, 1 Sep 2017 15:41:20 +0000 Subject: [PATCH] PROXY protocol proposal corrections git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1806985 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_remoteip.xml | 18 +++++++++--------- modules/metadata/mod_remoteip.c | 12 +++++------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/docs/manual/mod/mod_remoteip.xml b/docs/manual/mod/mod_remoteip.xml index 1e693a4fcb..bac9e88a24 100644 --- a/docs/manual/mod/mod_remoteip.xml +++ b/docs/manual/mod/mod_remoteip.xml @@ -65,7 +65,7 @@ via the request headers. mod_authz_host mod_status mod_log_config -Proxy Protocol Spec +Proxy Protocol Spec
Remote IP Processing @@ -227,25 +227,25 @@ RemoteIPProxiesHeader X-Forwarded-By RemoteIPProxyProtocol On|Off server configvirtual host -RemoteIPProxyProtocol is only available in httpd 2.4.26 and newer +RemoteIPProxyProtocol is only available in httpd 2.4.28 and newer

The RemoteIPProxyProtocol directive enables or disables the reading and handling of the PROXY protocol connection header. If enabled with the On flag, the upstream client must send the header every time it opens a connection or the connection will - be aborted unless it is in the list of disabled hosts provided by RemoteIPProxyProtocolExceptions + be aborted unless it is in the list of disabled hosts provided by the + RemoteIPProxyProtocolExceptions directive.

While this directive may be specified in any virtual host, it is important to understand that because the PROXY protocol is connection based and protocol agnostic, the enabling and disabling is actually based - on ip-address and port. This means that if you have multiple name-based - virtual hosts for the same host and port, and you enable it any one of - them, then it is enabled for all them (with that host and port). It also + on IP address and port. This means that if you have multiple name-based + virtual hosts for the same host and port, and you enable it for any one of + them, then it is enabled for all of them (with that host and port). It also means that if you attempt to enable the PROXY protocol in one and disable - in the other, that won't work; in such a case the last one wins and a + in the other, that won't work; in such a case, the last one wins and a notice will be logged indicating which setting was being overridden.

@@ -280,7 +280,7 @@ Listen 8080 RemoteIPProxyProtocolExceptions host|range [host|range] [host|range] server configvirtual host -RemoteIPProxyProtocolExceptions is only available in httpd 2.4.26 and newer +RemoteIPProxyProtocolExceptions is only available in httpd 2.4.28 and newer

The RemoteIPProxyProtocol directive enables or diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c index 8cd8b40513..d9d62a9560 100644 --- a/modules/metadata/mod_remoteip.c +++ b/modules/metadata/mod_remoteip.c @@ -133,11 +133,10 @@ typedef struct { int version; ap_input_mode_t mode; apr_bucket_brigade *bb; - int peeking; int done; } remoteip_filter_context; -/** Holds the resolved proxy info for this connection and any addition +/** Holds the resolved proxy info for this connection and any additional configurable parameters */ typedef struct { @@ -309,13 +308,13 @@ static const char *proxylist_read(cmd_parms *cmd, void *cfg, return NULL; } -/** Similar apr_sockaddr_equal, except that it compares ports too. */ +/** Similar to apr_sockaddr_equal, except that it compares ports too. */ static int remoteip_sockaddr_equal(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2) { return (addr1->port == addr2->port && apr_sockaddr_equal(addr1, addr2)); } -/** Similar remoteip_sockaddr_equal, except that it handles wildcard addresses +/** Similar to remoteip_sockaddr_equal, except that it handles wildcard addresses * and ports too. */ static int remoteip_sockaddr_compat(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2) @@ -793,8 +792,7 @@ static remoteip_parse_status_t remoteip_process_v1_header(conn_rec *c, valid_addr_chars = "0123456789abcdefABCDEF:"; #else ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03498) - "RemoteIPProxyProtocol: Unable to parse v6 address - APR is not compiled with IPv6 support", - word, hdr->v1.line); + "RemoteIPProxyProtocol: Unable to parse v6 address - APR is not compiled with IPv6 support"); return HDR_ERROR; #endif } @@ -1190,7 +1188,7 @@ static const command_rec remoteip_cmds[] = "The filename to read the list of internal proxies, " "see the RemoteIPInternalProxy directive"), AP_INIT_FLAG("RemoteIPProxyProtocol", remoteip_enable_proxy_protocol, NULL, - RSRC_CONF, "Enable PROXY protocol handling (`on', `off')"), + RSRC_CONF, "Enable PROXY protocol handling ('on', 'off')"), AP_INIT_TAKE_ARGV("RemoteIPProxyProtocolExceptions", remoteip_disable_networks, NULL, RSRC_CONF, "Disable PROXY " "protocol handling for this list of networks in CIDR format"), -- 2.40.0