Perhaps you're right but it really does what I want - at least on test . I did 
svn from trunk, complied this module and installed on latest 2.4.29. In my env 
we've got haproxy (pass-through) on the front side and then apaches terminating 
SSL. There is a need to record real IP address when client requests site. I was 
able to read this IP using mod_proxy_protocol but there was one downside of it 
- Proxy mode was enabled for entire virtual host without blacklisting e.g. 
local flow. Just a few days ago I was reading apache docs and accidentally 
switch to 2.5 page and found these two options: 

RemoteIPProxyProtocol On 

there was one mark saying - these are available in 2.4 starting from 2.4.28 
(afair) but... ended up with what you suggested and seems like got what I 
wanted. Does this make more sense ? 


Od: "William A Rowe Jr" <> 
Do: "dev" <> 
Wysłane: piątek, 12 styczeń 2018 19:11:42 
Temat: Re: remoteip module - extended support in 2.4 branch 

You are confusing functionality. the remoteip evaluation happens after 
the proxy protocol endpoints are identified. PROXY is a 
connection-oriented change of the apparent request origin. The 
remoteip behavior is a request-oriented change of the apparent origin, 
and it can vary from request to request on the same connection. 

Right now there is a proxy-specific blacklist to not expect nor 
process PROXY headers from specific client IPs/subnets, this directive 
has no effect on remoteip's trust list. 

Next, we anticipate a proxy-specific whitelist to enable processing of 
PROXY headers only from specific client IPs/subnets. It would still be 
followed by the blacklist exclusions. 

The net result is a binary decision of whether PROXY header is or is 
not expected, and therefore required. There was once an 'optional' 
behavior, but we noted the ambiguity would lead to security concerns. 

After the PROXY handling is complete, remoteip can further intervene, 

On Thu, Jan 11, 2018 at 10:56 PM, Marcin Giedz <> wrote: 
> Thx William, good to hear there are no API changes and module from trunk 
> should fit to 2.4 . The most important feature for me is actually one 
> disabling PROXY mode for particular IPs - something I can not achieve with 
> proxy_protocol external module 
> M. 
> ________________________________ 
> Od: "William A Rowe Jr" <> 
> Do: "dev" <> 
> Wysłane: piątek, 12 styczeń 2018 0:11:19 
> Temat: Re: remoteip module - extended support in 2.4 branch 
> Marcin, 
> There are no required API changes; you should be able to drop in the trunk 
> version of mod_remoteip.c and it should just compiler. Or you can compile 
> the trunk module with apxs -c 
> There is one agreed/anticipated change, to enable PROXY protocol on a remote 
> client IP basis (e.g. enable for proxy machines' IPs but not for other local 
> traffic.) That should be the primary delta between what is in trunk and what 
> will ship in 2.4. 
> Other questions such as splitting this off into a mod_proxy_protocol module 
> are up in the air, and shouldn't affect the module behavior. 
> On Jan 11, 2018 10:33 AM, "Marcin Giedz" <> wrote: 
> is there any timeline for this ? or I should build httpd myself from trunk ? 
> ________________________________ 
> Od: "Eric Covener" <> 
> Do: "dev" <> 
> Wysłane: czwartek, 11 styczeń 2018 15:20:56 
> Temat: Re: remoteip module - extended support in 2.4 branch 
> On Thu, Jan 11, 2018 at 9:10 AM, Marcin Giedz <> wrote: 
>> Hi there,sent the same question to users list but seems like dev is rather 
>> better place. 
>> In trunk version remoteip has been extended with some PROXY protocol 
>> support. Are there any chances these changes will be backported to 2.4 
>> branch ? 
> There are chances, but there is some disagreement over how/where (part 
> of remoteip or not is one dimension of it) 

Reply via email to