On 2017-02-15 09:07 (-0600), William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Wed, Feb 15, 2017 at 9:02 AM, Sander Hoentjen <san...@hoentjen.eu> wrote:
> >
> > mod_remote ip has:
> > /* mod_proxy creates outgoing connections - we don't want those */
> > if (!remoteip_is_server_port(c->local_addr->port)) {
> > return DECLINED;
> > }
> > I am guessing something similar is needed for h2 connections?
>
> I suspect that the mod_remoteip logic is wrong, that it should be guarding
> against any subordinate connections and examining only explicitly configured
> ports / origin IPs. the PROXY protocol is not part of the HTTP protocol and
> incompatible with it, so the trust list logic isn't directly compatible (this
> is
> clearly explained in the PROXY pseudo-RFC.)
>
Hi, Bill. That is what the module is doing. The original authors wrote it to
have a list of virtual hosts it is explicitly enabled for and explicitly
disabled for. I added a third list for optional vhosts. In the pre_connection
hook, it checks to see if the connection's local_addr (which should normally be
the server's IP) is explicitly configured to enable PROXY handling. It then
checks to see if the local port is a server port.
Looking at the logs shared, 192.168.122.249:84 is the server IP:Port combo and
is also the local IP:Port from mod_h2. If h2 sets the master of this
connection, then we could skip the whole ordeal with this patch:
Index: modules/metadata/mod_remoteip.c
===================================================================
--- modules/metadata/mod_remoteip.c (revision 1781701)
+++ modules/metadata/mod_remoteip.c (working copy)
@@ -862,6 +862,10 @@
remoteip_conn_config_t *conn_conf;
int optional;
+ if (c->master != NULL) {
+ return DECLINED;
+ }
+
conf = ap_get_module_config(ap_server_conf->module_config,
&remoteip_module);
.. but I don't know if that potentially means we are looking at the wrong
connection.
Sander, would it be possible to try this out?
