Aye, I had originally added the support for PROXY in remoteip since... well...
it's used to extract remote IP info. The funny part is that I had committed my
additions within an hour of the third party code being donated and incorporated
without realizing it... so I removed my changes and added this code into
remoteip with some small fixes.
I'm a bit confused. I don't recall so much opposition to this being in
remoteip. It seems reasonable to me since it's just another way to get remote
client IP information from the connection versus an HTTP header. Worth pointing
out is that it can be argued that both are operating at layer 7 since there
doesn't seem to be universal agreement as to whether TLS is layer 6 or 7... one
method of IP extraction just happens to be layer 7 data that proceeds TLS while
the other is layer 7 data wrapped in TLS inside an HTTP request. Academic
discussion of OSI layers aside, it still feels "right" to me as a user and
server admin to expect mod_remoteip to be the one place I would go to enable
extraction of remote IP info. I'm not exactly firm on this... I would rather
just see the functionality in the server... but hopefully that at least
clarifies how we wound up in this neighborhood to begin with.
As for the whitelist/blacklist thoughts, I don't completely follow the
preference for enabling specific ranges and also having a blacklist rather than
the current "enable for everything except these ranges". Bill, can you add a
bit more color here? We're probably closer in thought process than not... I
just can't connect the dots. To my knowledge, we are the only server even
evaluating something more than just on or off... which I think is pretty cool
and a sign of innovation.
Personally, I want to see this in the server... It appears we have either
silent opposition to the patch or just a lack of interest from other
committers, so I appreciate that Stefan is pointing these things out. I *hope*
I can spend some time on it in the coming weeks, but I've been poking at this
particular patch for about a year now and have a short attention span.
Hopefully enough feedback and work can be done soon to get *someone*
comfortable enough for another +1.
On December 13, 2017 6:19:43 AM CST, William A Rowe Jr <wr...@rowe-clan.net>
>On Wed, Dec 13, 2017 at 6:17 AM, Jim Jagielski <j...@jagunet.com> wrote:
>> On Dec 13, 2017, at 1:02 AM, Jordan Gigov <colad...@gmail.com> wrote:
>> On 12 December 2017 at 11:32, Stefan Eissing
>>> Fellow Apache developers: if we want to make an X-mas 2.4 release
>>> people on this planet, the backports in STATUS need your attention:
>>> B2: mod_remoteip: Add PROXY protocol support
>>> - needs 1 more vote!
>> I find that trying to have both Proxy Protocol and the old remoteip
>> functionality in the same mod is harder to maintain. I propose that
>> split up before an official release.
>> IIRC, that was the way it was. OtherBill wanted the functionality
>> in mod_remoteip.
>Oh, no, you most definitely mis-remember. It was presented as a
>addition from the get-go.