Hi, I have a slightly off topic inquiry. I've googled/RTFMed. I run mod_perl in a reverse proxy setup. Light apache in the front-end, heavy mod_perl apache in the back-end both running on the same machine.
The front end has the following reverse proxy directives: ProxyPass /perl/ http://localhost:8103/perl/ ProxyPassReverse /perl/ http://localhost:8103/perl/ Due to the reverse proxy setup, the original client IP is lost and all IP is reported as 127.0.0.1 (front-end). To extract the client's original IP I was happy to learn that mod_proxy conveniently adds a X-Forwarded-For header to the proxied requests automatically. On the back-end, I use: PerlPostReadRequestHandler My::ProxyRemoteAddr where My::ProxyRemoteAddr has code identical to http://perl.apache.org/docs/1.0/guide/scenario.html#Usage except for some minor mp2 migrations. sub My::ProxyRemoteAddr ($) { my $r = shift; # we'll only look at the X-Forwarded-For header if the requests # comes from our proxy at localhost return Apache::OK unless ($r->connection->remote_ip =~ m#^(127\.0\.0\.1|localhost\.localdomain)$#) and $r->header_in('X-Forwarded-For'); # Select last value in the chain -- original client's ip if( my( $ip ) = $r->headers_in->{'X-Forwarded-For'} =~ /([^,\s]+)$/ ) { $r->connection->remote_ip($ip); $r->log_error("Recorded client IP from X-Forwarded-For header: ", $r->headers_in->{'X-Forwarded-For'}, " as IP: ", $ip); } return Apache::OK; } Everything is hunky dory. The back-end access_log have the client's IP address and the applications sees the correct address as well. Here's the twist: To secure the back-end, direct access to the back-end directly is prohibited. The back-end config has the following directive to only allow proxied requests to come through: <Location /> order deny,allow deny from all allow from localhost 127.0.0.1 </Location> If I keep this directive in the back-end config, the client's original IP never makes it to the access_log. The application does however get the correct IP address. apache 2.0.47 mod_perl 1.99_09 perl 5.8.0 Anyone else experienced the same? Needless to say, I would like to keep the site secure, as well maintain the client's original IP in the logs. On second thought, this looks more and more like an apache issue. -- Haroon Rafique <[EMAIL PROTECTED]>
