[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

Christophe JAILLET  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #19 from Christophe JAILLET  ---
This has been backported in 2.4.x in r1833070

This is part of 2.4.34

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #18 from William A. Rowe Jr.  ---
So long as the ap_set_module_config(ap_server_conf->module_config,
_module, config) bit was a no-op, we can proceed with this fix.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #17 from Yann Ylavic  ---
Looks like the main server config is created on LoadModule, so we should be
safe here.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #16 from William A. Rowe Jr.  ---
Reviewing the proposed fix;

https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_remoteip.c?r1=1832580=1832579=1832580

begs the question, the logic described in C14 above,

"Also note that with the introduction of the PROXY filter, during early
processing the server config loaded is the global config (ap_server_conf) and
not the applicable physical vhost."

... does this ensure that filter still gets the global server config, and this
does not introduce a crash-bug when PROXY handling is introduced for a specific
vhost? I suspect a second half of that patch is needed during post-config to
ensure the global is configured?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #15 from Yann Ylavic  ---
(In reply to William A. Rowe Jr. from comment #14)
> 
> Because these two directives run on exec (after preconfig, prior to other
> directives), the scope is actually *server config*.

Agreed on the scope, however EXEC_ON_READ happens *before* preconfig (from
ap_read_config() in main.c, so before ap_run_pre_config() is called).

This is why I removed the pre_config hook in trunk (and proposed as backport),
it simply "cleared" all the EXEC_ON_READ work.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #14 from William A. Rowe Jr.  ---
[I'll note that in the discussion above "it doesn't work" wasn't particularly
insightful - is this a crash-bug, or what specifically does not work?]

Not a solution, but explaining what might be going on so that the underlying
defect is fixed. First off, the docs are wrong;

Syntax: RemoteIPInternalProxyList filename
Syntax: RemoteIPTrustedProxyList filename
Context: server config, virtual host

Because these two directives run on exec (after preconfig, prior to other
directives), the scope is actually *server config*. When I authored this
module, the expectation was that RemoteIPTrustedProxyList would be some
monster list, e.g.

  https://meta.wikimedia.org/wiki/XFF_project#Trusted_XFF_list

so it was never envisioned that a specific machine would trust anything
other than its physical traffic config (Internal) or some list that delays
startup for a minute or more (unless pre-piped through logresolve for dns
resolution).

I suspect everyone reporting a defect has their list directive within some
virtual host and expected that to be honored for the specific host. As it
is, all of the named lists are cumulative to the global server config. Specific
internal+proxy trust in a specific vhost config overrides global config - it
doesn't supplement it.

That could arguably be changed, given multi-tenant needs today. It could
also be changed to merge a global list with the per-server list during the
config merge, which makes far more sense than simply changing this behavior to
ignore the global lists, unannounced.

Now... going back to the reports above, the comment is the directive "does not
work". We need to know if the lists directive causes a crash? Or the IP's
listed in those list directives are ignored?

If this is simply ignoring global trusted/internal List, note that every PROXY
related directive now causes a virtual host config to come into existence. I
have no explanation yet how the pre/post configs introduced to this module have
impacted the creation of vhost configs and altered the behavior of the List
directives, but that would be the starting point. Someone hitting such a
behavior should be sharing a simple config example of how they encountered
this, with relevant vhosts/remoteip directives.

If this were a crash; this means that every affected server has a global config
with perhaps nothing more than one or multiple trusted/internal lists, and (I
am guessing) further config that affects only intended virtual hosts, but are
undefined for the global host. Note the global config values are all
initialized to 0/NULL, so any exception begins there. Someone hitting such a
crash needs to share the backtrace, please;
https://httpd.apache.org/dev/debugging.html#crashes

Note that no flags were merged for PROXY protocol handling in the initial
merge_remoteip_server_config(), leading to some likely confusion. Also note
that with the introduction of the PROXY filter, during early processing the
server config loaded is the global config (ap_server_conf) and not the
applicable physical vhost. This may or may not be relevant. This code also
introduces some interesting pre/post config side effects of by replacing
default behavior.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #13 from Vincent Verloop  ---
Directadmin: Apache + Nginx reverse proxy configuration, has this issue.

http://forum.directadmin.com/showthread.php?t=56159=287781#post287781

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #12 from Dave  ---
Is there any news? Have you found the problem with smtalk?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

Dave  changed:

   What|Removed |Added

 CC|d.devr...@ospito.nl |

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

Dave  changed:

   What|Removed |Added

 CC||d.devr...@ospito.nl

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #11 from smtalk  ---
Sent to christophe.jaillet@. Thank you!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #10 from Christophe JAILLET  ---
I can not reproduce the issue with my test configuration.
Moreover, RemoteIPInternalProxyList and RemoteIPInternalProxy are really
similar. They should really behave the same.

Could you please provide a reduced conf file in order to try to reproduce the
issue?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

Christophe JAILLET  changed:

   What|Removed |Added

  Attachment #35817|0   |1
is obsolete||

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #9 from Dave  ---
We experience problems with Apache 2.4.33 on all servers. The same problem as
smtalk.

Do you have a solution? Can I test something?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #8 from smtalk  ---
Any news on this? (do you need any further details?)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #7 from smtalk  ---
1) patch enables RemoteIPProxyProtocol by default:
[Wed Mar 28 01:12:43.030981 2018] [remoteip:debug] [pid 14075]
mod_remoteip.c(892): [client 185.38.149.80:40630] AH03503:
RemoteIPProxyProtocol: enabled on connection to 185.38.149.80:8080

2) Setting it manually to off still skips the content of
RemoteIPInternalProxyList.

3) Still nothing is logged with trace1.

And yes, RemoteIPInternalProxy has no issue, with IP specified in config, while
RemoteIPInternalProxyList does not work.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #6 from Christophe JAILLET  ---
s/by/but/

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #5 from Christophe JAILLET  ---
Created attachment 35817
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35817=edit
Patch for test

Could you please try the attached patch.
It is just for testing.

It could explain why you have an issue with 2.4.33, but would not explain why
RemoteIPInternalProxyList does not work by RemoteIPInternalProxy does

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #4 from smtalk  ---
Yes, the file has the IP address. We got reports from many servers, they all
got broken after update to 2.4.33. I compiled 2.4.33 with mod_remoteip.c from
https://github.com/apache/httpd/commit/b6855504e3273a92bde4a21fb573582faf16e381#diff-982de0fd2ba316e125a0dd58de12e74b
to make sure it's the one which broke everything, if I take mod_remoteip.c one
commit back and compile 2.4.33 with it - everything works as expected. We
clearly have a bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

--- Comment #3 from Christophe JAILLET  ---
Strange.
Basically 'RemoteIPInternalProxyList' is just a convenient way to call
'RemoteIPInternalProxy'.

I suppose that you have already checked 'file.lst' itself?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

smtalk  changed:

   What|Removed |Added

 Status|NEEDINFO|NEW

--- Comment #2 from smtalk  ---
Hm... Nothing seems to be there with it in error log.

So, it returns nothing RemoteIPInternalProxyList. If I use
"RemoteIPInternalProxy IP" instead of "RemoteIPInternalProxyList file.lst",
then remoteip:trace1 logs the expected info. No info with just
RemoteIPInternalProxyList file.lst.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62220

Christophe JAILLET  changed:

   What|Removed |Added

 Status|NEW |NEEDINFO

--- Comment #1 from Christophe JAILLET  ---
Thanks for your report.

Could you please provide logs with:
   LogLevel remoteip:trace1
(with the unmodified 2.4.33)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org