Bug#697644: closed by Sergey B Kirpichev skirpic...@gmail.com (Re: apache2-mod-rpaf: failure to work with authz allow/deny should be documented)
Sorry, I didn't see your response. I have an nginx proxy on a separate server passing requests to apache. I am not using ipv6. Rpaf works, in as much as the logs show the original client ip addresses. But when I try to use allow/deny directives from an .htaccess file, referencing either domain names or ip addresses, they are not honored. All proxied requests are treated as though they come from the proxy host. I tested this by allowing access, in the apache config, only to the proxy host, verified that requests were denied when connecting directly to the apache server, and observed that proxied requests were always allowed (they should never be if rpaf works). Rpaf runs before access, so it seems like rpaf doesn't do whatever is necessary for access to see the client ip. I was able to make my configuration work by replacing rpaf with a backported version of remoteip. I've moved on, so I don't have a test config still lying around. Googling around, there are lots of confusing discussions about this issue, and I wasted a lot of time trying to make rpaf work. I saw, for instance, the discussion of the ipv6 bug report, which makes it seem like this problem was fixed. John -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697644: closed by Sergey B Kirpichev skirpic...@gmail.com (Re: apache2-mod-rpaf: failure to work with authz allow/deny should be documented)
On Wed, Feb 06, 2013 at 10:57:50AM -0500, John Bazik wrote: I have an nginx proxy on a separate server passing requests to apache. I am not using ipv6. Rpaf works, in as much as the logs show the original client ip addresses. But when I try to use allow/deny directives from an .htaccess file, referencing either domain names or ip addresses, they are not honored. All proxied requests are treated as though they come from the proxy host. Sorry, I can't reproduce this mess. For me, it works. Either send more info (examples of your allow/deny directives, enabled apache modules) - or wait until someone would be able to reproduce this. An example, nginx.conf: --8-- proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass_header Server; upstream backend { server 127.0.0.1:40080; } server { listen 80; location / { proxy_pass http://backend; } --8-- rpaf.conf: IfModule rpaf_module RPAFenable On RPAFsethostname On RPAFproxy_ips 127.0.0.1 /IfModule status.conf: Location /server-status IfModule mod_rewrite.c RewriteEngine off /IfModule SetHandler server-status Order deny,allow Deny from all Allow from 127.0.0.1 # It works. I can disable this to disallow access: Allow from 111.222.333.444 Allow from 192.168.2.0/24 /Location Rpaf runs before access, so it seems like rpaf doesn't do whatever is necessary for access to see the client ip. Or you do something wrong. I didn't see your configuration, I can't tell. Googling around, there are lots of confusing discussions For example? I saw, for instance, the discussion of the ipv6 bug report, which makes it seem like this problem was fixed. This patch was dropped time ago (after Squeeze) by QA upload. Anyway, this issue was fixed in 0.5-3+squeeze1. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697644: closed by Sergey B Kirpichev skirpic...@gmail.com (Re: apache2-mod-rpaf: failure to work with authz allow/deny should be documented)
/etc/nginx/sites-enabled/default: server { listen 80; root /usr/share/nginx/www; location / { proxy_pass http://[apache-host]/; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; } } /etc/apache2/mods-enabled/rpaf.conf: IfModule rpaf_module RPAFenable On RPAFsethostname On RPAFproxy_ips [nginx-ip] RPAFheader X-Real-IP /IfModule /etc/apache2/sites-enabled/000-default: VirtualHost *:80 DocumentRoot /var/www Directory / Options FollowSymLinks AllowOverride None /Directory Directory /var/www/ Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from [nginx-ip] /Directory /VirtualHost In the above case, I should get a deny from any host except [nginx-host]. Instead, proxied requests are allowed. In the apache log, it shows the original client ip and 200 success. If I change the apache config allow from [nginx-ip] to allow from [client-ip] then direct requests are allowed, and proxied requests are denied. Note that I have separate servers. I never tried this with both servers on the same host. Perhaps that has something to do with it. John -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org