Hi all,
Recently I have to deal with a number of modules that try to override
the r->connection->remote_ip value in order to use the IP address
originating from a load balancer, which obscures the real IP address
of the client.
All of these modules, including mod_remoteip in trunk, take a piece of
information from a request (a header value typically), and then copies
the value upstream to the parent connection, blowing away the real
value of the IP address.
This blown away IP address now becomes the IP address for all further
requests on the same connection, which, if they are coming from a load
balancer, are very unlikely to come from the same original client.
A request should not be making permanent changes to its parent
connection, even a temporary change with a cleanup to restore the
original value is an ugly hack.
ideally there should be a value r->remote_ip, populated initially from
connection->remote_ip, which a request can change at will, and that
will go away when the request is finished. Modules that want to do
access control, etc should rather look in r->remote_ip instead of r-
>connection->remote_ip.
The change is simple enough, but changes a number of modules, so I
would like to make sure people agree with the approach before I go
ahead.
Any comments?
Regards,
Graham
--
