diff options
Diffstat (limited to 'data/lighttpd/lighttpd-1.4.53/doc/outdated/extforward.txt')
| -rw-r--r-- | data/lighttpd/lighttpd-1.4.53/doc/outdated/extforward.txt | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/data/lighttpd/lighttpd-1.4.53/doc/outdated/extforward.txt b/data/lighttpd/lighttpd-1.4.53/doc/outdated/extforward.txt new file mode 100644 index 000000000..3d0c57cd4 --- /dev/null +++ b/data/lighttpd/lighttpd-1.4.53/doc/outdated/extforward.txt @@ -0,0 +1,105 @@ +============== +mod_extforward +============== + +.. contents:: + +Overview +======== + +Comman Kang <comman.kang at gmail.com> sent me: :: + + Hello jan. + + I've made something rough but similar to mod_extract_forwarded for + Apache. This module will extract the client's "real" ip from + X-Forwarded-For header which is added by squid or other proxies. It might be + useful for servers behind reverse proxy servers. + + However, this module is causing segfault with mod_ssl or + $HTTP{''socket"} directive, crashing in config_check_cond while patching + connection , I do not understand architecture of the lighttpd well, does it + need to call patch_connection in either handle_request_done and + connection_reset ? + +Lionel Elie Mamane <lionel@mamane.lu> improved the patch: :: + + I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've + extended it. Here is the result. + + Major changes: + + - IPv6 support + + - Fixed at least one segfault with SERVER['socket'] + + - Arrange things so that a url.access-deny under scope of a + HTTP['remoteip'] condition works well :) + + I've commented the code in some places, mostly where I wasn't sure + what was going on, or I didn't see what the original author meant to + do. + +Options +======= + +extforward.forwarder + Sets trust level of proxy IP's. + + Default: empty + + Example: :: + + extforward.forwarder = ("10.0.0.232" => "trust") + + will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from "X-Forwarded-For" or "Forwarded-For" HTTP request header. + +extforward.headers + Sets headers to search for finding the originl addresses. + + Example (for use with a Zeus ZXTM loadbalancer): :: + + extforward.headers = ("X-Cluster-Client-Ip") + + Default: empty, results in searching for "X-Forwarded-For" and "Forwarded-For" + +Note +======= + +The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions. +Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. +Things done in between these two moments will match on the real client's IP. +The moment things are done by a module depends on in which hook it does things and within the same hook +on whether they are before/after us in the module loading order +(order in the server.modules directive in the config file). + +Tested behaviours: + + mod_access: Will match on the real client. + + mod_accesslog: + In order to see the "real" ip address in access log , + you'll have to load mod_extforward after mod_accesslog. + like this: :: + + server.modules = ( + ..... + mod_accesslog, + mod_extforward + ) + +Samples +======= + +Trust proxy 10.0.0.232 and 10.0.0.232 :: + + extforward.forwarder = ( + "10.0.0.232" => "trust", + "10.0.0.233" => "trust", + ) + +Trust all proxies (NOT RECOMMENDED!) :: + + extforward.forwarder = ( "all" => "trust") + +Note that "all" has precedence over specific entries, so "all except" setups will not work. |