subject:"Bug#697644\: closed by Sergey B Kirpichev skirpic...@gmail.com \(Re\: apache2\-mod\-rpaf\: failure to work with authz allow\/deny should be documented\)"

Bug#697644: closed by Sergey B Kirpichev skirpic...@gmail.com (Re: apache2-mod-rpaf: failure to work with authz allow/deny should be documented)

2013-02-06 Thread John Bazik

Sorry, I didn't see your response.

I have an nginx proxy on a separate server passing requests to apache.
I am not using ipv6.  Rpaf works, in as much as the logs show the original
client ip addresses.  But when I try to use allow/deny directives from
an .htaccess file, referencing either domain names or ip addresses, they
are not honored.  All proxied requests are treated as though they come
from the proxy host.

I tested this by allowing access, in the apache config, only to the proxy
host, verified that requests were denied when connecting directly to the
apache server, and observed that proxied requests were always allowed
(they should never be if rpaf works).

Rpaf runs before access, so it seems like rpaf doesn't do whatever
is necessary for access to see the client ip.  I was able to make
my configuration work by replacing rpaf with a backported version of
remoteip.  I've moved on, so I don't have a test config still lying
around.

Googling around, there are lots of confusing discussions about this
issue, and I wasted a lot of time trying to make rpaf work.  I saw,
for instance, the discussion of the ipv6 bug report, which makes it seem
like this problem was fixed.

John


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#697644: closed by Sergey B Kirpichev skirpic...@gmail.com (Re: apache2-mod-rpaf: failure to work with authz allow/deny should be documented)

2013-02-06 Thread Sergey B Kirpichev

On Wed, Feb 06, 2013 at 10:57:50AM -0500, John Bazik wrote:
 I have an nginx proxy on a separate server passing requests to apache.
 I am not using ipv6.  Rpaf works, in as much as the logs show the original
 client ip addresses.  But when I try to use allow/deny directives from
 an .htaccess file, referencing either domain names or ip addresses, they
 are not honored.  All proxied requests are treated as though they come
 from the proxy host.

Sorry, I can't reproduce this mess.  For me, it works.  Either send
more info (examples of your allow/deny directives, enabled apache
modules) - or wait until someone would be able to reproduce this.

An example, nginx.conf:
--8--
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass_header Server;
upstream backend {
server 127.0.0.1:40080;
}
server {
listen 80;

location / {
proxy_pass http://backend;
}
--8--

rpaf.conf:
IfModule rpaf_module
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1
/IfModule

status.conf:
Location /server-status
IfModule mod_rewrite.c
RewriteEngine off
/IfModule
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
# It works.  I can disable this to disallow access:
Allow from 111.222.333.444
Allow from 192.168.2.0/24
/Location

 Rpaf runs before access, so it seems like rpaf doesn't do whatever
 is necessary for access to see the client ip.

Or you do something wrong.  I didn't see your configuration, I can't
tell.

 Googling around, there are lots of confusing discussions

For example?

 I saw, for instance, the discussion of the ipv6 bug report,
 which makes it seem like this problem was fixed.

This patch was dropped time ago (after Squeeze) by QA upload.  Anyway,
this issue was fixed in 0.5-3+squeeze1.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#697644: closed by Sergey B Kirpichev skirpic...@gmail.com (Re: apache2-mod-rpaf: failure to work with authz allow/deny should be documented)

2013-02-06 Thread John Bazik

/etc/nginx/sites-enabled/default:

server {
listen   80;

root /usr/share/nginx/www;

location / {
proxy_pass http://[apache-host]/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
}
}

/etc/apache2/mods-enabled/rpaf.conf:

IfModule rpaf_module
RPAFenable On
RPAFsethostname On
RPAFproxy_ips [nginx-ip]
RPAFheader X-Real-IP
/IfModule

/etc/apache2/sites-enabled/000-default:

VirtualHost *:80
DocumentRoot /var/www
Directory /
Options FollowSymLinks
AllowOverride None
/Directory
Directory /var/www/
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from [nginx-ip]
/Directory
/VirtualHost

In the above case, I should get a deny from any host except [nginx-host].
Instead, proxied requests are allowed.  In the apache log, it shows the
original client ip and 200 success.

If I change the apache config

allow from [nginx-ip]
to
allow from [client-ip]

then direct requests are allowed, and proxied requests are denied.

Note that I have separate servers.  I never tried this with both servers
on the same host.  Perhaps that has something to do with it.

John


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#697644: closed by Sergey B Kirpichev skirpic...@gmail.com (Re: apache2-mod-rpaf: failure to work with authz allow/deny should be documented)

Bug#697644: closed by Sergey B Kirpichev skirpic...@gmail.com (Re: apache2-mod-rpaf: failure to work with authz allow/deny should be documented)

Bug#697644: closed by Sergey B Kirpichev skirpic...@gmail.com (Re: apache2-mod-rpaf: failure to work with authz allow/deny should be documented)

3 matches

Site Navigation

Mail list logo

Footer information