You are confusing functionality. the remoteip evaluation happens after
the proxy protocol endpoints are identified. PROXY is a
connection-oriented change of the apparent request origin. The
remoteip behavior is a request-oriented change of the apparent origin,
and it can vary from request to request on the same connection.

Right now there is a proxy-specific blacklist to not expect nor
process PROXY headers from specific client IPs/subnets, this directive
has no effect on remoteip's trust list.

Next, we anticipate a proxy-specific whitelist to enable processing of
PROXY headers only from specific client IPs/subnets. It would still be
followed by the blacklist exclusions.

The net result is a binary decision of whether PROXY header is or is
not expected, and therefore required. There was once an 'optional'
behavior, but we noted the ambiguity would lead to security concerns.

After the PROXY handling is complete, remoteip can further intervene,
request-by-request.


On Thu, Jan 11, 2018 at 10:56 PM, Marcin Giedz <marcin.gi...@arise.pl> wrote:
> Thx William, good to hear there are no API changes and module from trunk
> should fit to 2.4 . The most important feature for me is actually one
> disabling PROXY mode for particular IPs - something I can not achieve with
> proxy_protocol external module
>
> M.
>
> ________________________________
> Od: "William A Rowe Jr" <wr...@rowe-clan.net>
> Do: "dev" <dev@httpd.apache.org>
> Wysłane: piątek, 12 styczeń 2018 0:11:19
> Temat: Re: remoteip module - extended support in 2.4 branch
>
> Marcin,
>
> There are no required API changes; you should be able to drop in the trunk
> version of mod_remoteip.c and it should just compiler. Or you can compile
> the trunk module with apxs -c
>
> There is one agreed/anticipated change, to enable PROXY protocol on a remote
> client IP basis (e.g. enable for proxy machines' IPs but not for other local
> traffic.) That should be the primary delta between what is in trunk and what
> will ship in 2.4.
>
> Other questions such as splitting this off into a mod_proxy_protocol module
> are up in the air, and shouldn't affect the module behavior.
>
>
> On Jan 11, 2018 10:33 AM, "Marcin Giedz" <marcin.gi...@arise.pl> wrote:
>
> is there any timeline for this ? or I should build httpd myself from trunk ?
>
> ________________________________
> Od: "Eric Covener" <cove...@gmail.com>
> Do: "dev" <dev@httpd.apache.org>
> Wysłane: czwartek, 11 styczeń 2018 15:20:56
> Temat: Re: remoteip module - extended support in 2.4 branch
>
> On Thu, Jan 11, 2018 at 9:10 AM, Marcin Giedz <marcin.gi...@arise.pl> wrote:
>> Hi there,sent the same question to users list but seems like dev is rather
>> better place.
>>
>> In trunk version remoteip has been extended with some PROXY protocol
>> support. Are there any chances these changes will be backported to 2.4
>> branch ?
>
> There are chances, but there is some disagreement over how/where (part
> of remoteip or not is one dimension of it)
>
>
>

Reply via email to