mod_authz_host && mod_rpaf - incorrect work with IPv6 enabled

[Alex Keda]

problem - not work this:
order allow,deny
allow from ip 22.33.44.55 # My IP
deny from all
configuration - nginx frontend, apache2.2 backend, mod_rpaf for real IP

apache say: 403, if I go through nginx-proxy and answer 200 if directly
mod_rpaf work correct - in log - my IP, not server IP

google go to this page:
http://crashingdaily.wordpress.com/2008/10/22/apache-access-control-and-mod_rpaf/

fix:

srv2# cat /usr/ports/www/apache22/files/patch-mod_authz_host.c
--- ./modules/aaa/mod_authz_host.c.orig 2008-06-14 15:44:19.000000000 +0400
+++ ./modules/aaa/mod_authz_host.c      2011-04-07 16:46:03.000000000 +0400
@@ -214,6 +214,26 @@
     int gothost = 0;
     const char *remotehost = NULL;

+// added by lissyara 2011-04-07 in 16:13 MSK
+// see 
http://crashingdaily.wordpress.com/2008/10/22/apache-access-control-and-mod_rpaf/
+if (r->connection->remote_addr->sa.sin.sin_family == AF_INET) {
+       r->connection->remote_addr->sa.sin.sin_addr.s_addr = 
apr_inet_addr(r->connection->remote_ip);
+}
+else if (IN6_IS_ADDR_V4MAPPED((struct in6_addr 
*)r->connection->remote_addr->ipaddr_ptr)) {
+       // set mapped IPv4
+       ((apr_uint32_t *)r->connection->remote_addr->ipaddr_ptr)[0] = 0;
+       ((apr_uint32_t *)r->connection->remote_addr->ipaddr_ptr)[1] = 0;
+       ((apr_uint32_t *)r->connection->remote_addr->ipaddr_ptr)[2] = 
htonl (0xffff);
+       ((apr_uint32_t *)r->connection->remote_addr->ipaddr_ptr)[3] = 
inet_addr( r->connection->remote_ip );
+}
+else if (r->connection->remote_addr->sa.sin.sin_family == AF_INET6) {
+       // not sure if this will work !!!
+       inet_pton(AF_INET6, r->connection->remote_ip, ((struct 
sockaddr_in6*)&r->connection->remote_addr)->sin6_addr.s6_addr);
+}
+else {
+       ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, 
"Apache doesn't support this address family");
+}
+
     for (i = 0; i < a->nelts; ++i) {
         if (!(mmask & ap[i].limited)) {
             continue;
srv2#


may be not complete correct - I'm not programmer
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"