Yess great ! using apachemod remote IP and > RemoteIPHeader X-Forwarded-For > RemoteIPInternalProxy 10.0.200.0/24 on the 2nd proxy helped!
what also helped telling the second apache not to thought the headers with: ProxyAddHeaders Off (apache: Available in version 2.3.10 and later) thanks for help:) cheers, bernhard On 09 Jul 2015, at 05:04, Aristotle Pagaltzis <pagalt...@gmx.de> wrote: > * Bernhard Bauch <ba...@zsi.at> [2015-07-08 16:50]: >> suroundings: catalyst, psgi, starman, apache2. >> but in our setup there are *two* apache2s doing reverse proxies before >> the requests reaches the starman server. >> >> so what happend: >> >> the http headers look like this (for catalyst) >> X-FORWARDED-FOR: <clients-ip>, <proxy2-ip> >> REQUEST_IP_ADDRESS: <proxy2-ip> >> >> what Plack::Middleware::ReverseProxy does it puts the LAST ip in the >> forwarded-for header into >> $env->{REMOTE_ADDR} >> which is actually not the IP of the client. >> why is that happening ? > > Because any other IPs could be untrustworthy. The client could include > an X-Forwarded-For header with bogus content, or there could be a proxy > legimitately sitting between you and the ultimate client (e.g. a caching > proxy run by the user’s ISP)… there are many scenarios. > >> shouldn't it take the first IP, so catalyst has access to the original >> requests IP ? > > Absolutely not. It cannot know whether that IP is trustworthy. > >> my apache proxy configs look like this... >> is there something wrong with the proxies config ? > > IMO, yes. > > I think the correct solution here is to encode into your deployment > infrastructure the knowledge that a) there are two proxies and b) that > they are both trusted. > > Using the ReverseProxy means you have already told the app that the > app-facing proxy exists and is trusted. > > But also telling it that the world-facing proxy exists and is trusted > would IMO put too much knowledge about your specific infrastructure > layout in the app. > > Instead you should tell the app-facing proxy that the world-facing > proxy is trusted. That way the different parts of your infrastructure > are more self-contained and independent. > > Unfortunately I don’t speak Apache very well any more but I *think* what > you want is to load mod_remoteip on proxy 2 and then add something like > > RemoteIPHeader X-Forwarded-For > RemoteIPInternalProxy 10.0.200.0/24 > > to its config. > > Or maybe you have to configure the proxy 2 to just leave X-Forwarded-For > alone (which implicitly means it trusts whatever proxy 1 has put there). > (No idea if that’s possible or how.) > > I can’t say what exactly will work but something along these lines would > be my approach. > >> thanks for hints! >> cheers, bernhard > > Hope this helps. > > Regards, > -- > Aristotle Pagaltzis // <http://plasmasturm.org/> > > _______________________________________________ > List: Catalyst@lists.scsys.co.uk > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ > Dev site: http://dev.catalyst.perl.org/ > > !DSPAM:559de510153869509620312! > > — Bernhard Bauch Webdevelopment ZSI-Zentrum für Soziale Innovation GmbH Centre for Social Innovation Linke Wienzeile 246, A-1150 Wien, Austria Mail: ba...@zsi.at Skype: berni-zsi
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/