https://bz.apache.org/bugzilla/show_bug.cgi?id=62220
--- Comment #14 from William A. Rowe Jr. <[email protected]> --- [I'll note that in the discussion above "it doesn't work" wasn't particularly insightful - is this a crash-bug, or what specifically does not work?] Not a solution, but explaining what might be going on so that the underlying defect is fixed. First off, the docs are wrong; Syntax: RemoteIPInternalProxyList filename Syntax: RemoteIPTrustedProxyList filename Context: server config, virtual host Because these two directives run on exec (after preconfig, prior to other directives), the scope is actually *server config*. When I authored this module, the expectation was that RemoteIPTrustedProxyList would be some monster list, e.g. https://meta.wikimedia.org/wiki/XFF_project#Trusted_XFF_list so it was never envisioned that a specific machine would trust anything other than its physical traffic config (Internal) or some list that delays startup for a minute or more (unless pre-piped through logresolve for dns resolution). I suspect everyone reporting a defect has their list directive within some virtual host and expected that to be honored for the specific host. As it is, all of the named lists are cumulative to the global server config. Specific internal+proxy trust in a specific vhost config overrides global config - it doesn't supplement it. That could arguably be changed, given multi-tenant needs today. It could also be changed to merge a global list with the per-server list during the config merge, which makes far more sense than simply changing this behavior to ignore the global lists, unannounced. Now... going back to the reports above, the comment is the directive "does not work". We need to know if the lists directive causes a crash? Or the IP's listed in those list directives are ignored? If this is simply ignoring global trusted/internal List, note that every PROXY related directive now causes a virtual host config to come into existence. I have no explanation yet how the pre/post configs introduced to this module have impacted the creation of vhost configs and altered the behavior of the List directives, but that would be the starting point. Someone hitting such a behavior should be sharing a simple config example of how they encountered this, with relevant vhosts/remoteip directives. If this were a crash; this means that every affected server has a global config with perhaps nothing more than one or multiple trusted/internal lists, and (I am guessing) further config that affects only intended virtual hosts, but are undefined for the global host. Note the global config values are all initialized to 0/NULL, so any exception begins there. Someone hitting such a crash needs to share the backtrace, please; https://httpd.apache.org/dev/debugging.html#crashes Note that no flags were merged for PROXY protocol handling in the initial merge_remoteip_server_config(), leading to some likely confusion. Also note that with the introduction of the PROXY filter, during early processing the server config loaded is the global config (ap_server_conf) and not the applicable physical vhost. This may or may not be relevant. This code also introduces some interesting pre/post config side effects of by replacing default behavior. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
