[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 Christophe JAILLET changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #19 from Christophe JAILLET --- This has been backported in 2.4.x in r1833070 This is part of 2.4.34 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #18 from William A. Rowe Jr. --- So long as the ap_set_module_config(ap_server_conf->module_config, _module, config) bit was a no-op, we can proceed with this fix. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #17 from Yann Ylavic --- Looks like the main server config is created on LoadModule, so we should be safe here. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #16 from William A. Rowe Jr. --- Reviewing the proposed fix; https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_remoteip.c?r1=1832580=1832579=1832580 begs the question, the logic described in C14 above, "Also note that with the introduction of the PROXY filter, during early processing the server config loaded is the global config (ap_server_conf) and not the applicable physical vhost." ... does this ensure that filter still gets the global server config, and this does not introduce a crash-bug when PROXY handling is introduced for a specific vhost? I suspect a second half of that patch is needed during post-config to ensure the global is configured? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #15 from Yann Ylavic --- (In reply to William A. Rowe Jr. from comment #14) > > Because these two directives run on exec (after preconfig, prior to other > directives), the scope is actually *server config*. Agreed on the scope, however EXEC_ON_READ happens *before* preconfig (from ap_read_config() in main.c, so before ap_run_pre_config() is called). This is why I removed the pre_config hook in trunk (and proposed as backport), it simply "cleared" all the EXEC_ON_READ work. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #14 from William A. Rowe Jr. --- [I'll note that in the discussion above "it doesn't work" wasn't particularly insightful - is this a crash-bug, or what specifically does not work?] Not a solution, but explaining what might be going on so that the underlying defect is fixed. First off, the docs are wrong; Syntax: RemoteIPInternalProxyList filename Syntax: RemoteIPTrustedProxyList filename Context: server config, virtual host Because these two directives run on exec (after preconfig, prior to other directives), the scope is actually *server config*. When I authored this module, the expectation was that RemoteIPTrustedProxyList would be some monster list, e.g. https://meta.wikimedia.org/wiki/XFF_project#Trusted_XFF_list so it was never envisioned that a specific machine would trust anything other than its physical traffic config (Internal) or some list that delays startup for a minute or more (unless pre-piped through logresolve for dns resolution). I suspect everyone reporting a defect has their list directive within some virtual host and expected that to be honored for the specific host. As it is, all of the named lists are cumulative to the global server config. Specific internal+proxy trust in a specific vhost config overrides global config - it doesn't supplement it. That could arguably be changed, given multi-tenant needs today. It could also be changed to merge a global list with the per-server list during the config merge, which makes far more sense than simply changing this behavior to ignore the global lists, unannounced. Now... going back to the reports above, the comment is the directive "does not work". We need to know if the lists directive causes a crash? Or the IP's listed in those list directives are ignored? If this is simply ignoring global trusted/internal List, note that every PROXY related directive now causes a virtual host config to come into existence. I have no explanation yet how the pre/post configs introduced to this module have impacted the creation of vhost configs and altered the behavior of the List directives, but that would be the starting point. Someone hitting such a behavior should be sharing a simple config example of how they encountered this, with relevant vhosts/remoteip directives. If this were a crash; this means that every affected server has a global config with perhaps nothing more than one or multiple trusted/internal lists, and (I am guessing) further config that affects only intended virtual hosts, but are undefined for the global host. Note the global config values are all initialized to 0/NULL, so any exception begins there. Someone hitting such a crash needs to share the backtrace, please; https://httpd.apache.org/dev/debugging.html#crashes Note that no flags were merged for PROXY protocol handling in the initial merge_remoteip_server_config(), leading to some likely confusion. Also note that with the introduction of the PROXY filter, during early processing the server config loaded is the global config (ap_server_conf) and not the applicable physical vhost. This may or may not be relevant. This code also introduces some interesting pre/post config side effects of by replacing default behavior. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #13 from Vincent Verloop --- Directadmin: Apache + Nginx reverse proxy configuration, has this issue. http://forum.directadmin.com/showthread.php?t=56159=287781#post287781 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #12 from Dave--- Is there any news? Have you found the problem with smtalk? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 Davechanged: What|Removed |Added CC|d.devr...@ospito.nl | -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 Davechanged: What|Removed |Added CC||d.devr...@ospito.nl -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #11 from smtalk--- Sent to christophe.jaillet@. Thank you! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #10 from Christophe JAILLET--- I can not reproduce the issue with my test configuration. Moreover, RemoteIPInternalProxyList and RemoteIPInternalProxy are really similar. They should really behave the same. Could you please provide a reduced conf file in order to try to reproduce the issue? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 Christophe JAILLETchanged: What|Removed |Added Attachment #35817|0 |1 is obsolete|| -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #9 from Dave--- We experience problems with Apache 2.4.33 on all servers. The same problem as smtalk. Do you have a solution? Can I test something? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #8 from smtalk--- Any news on this? (do you need any further details?) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #7 from smtalk--- 1) patch enables RemoteIPProxyProtocol by default: [Wed Mar 28 01:12:43.030981 2018] [remoteip:debug] [pid 14075] mod_remoteip.c(892): [client 185.38.149.80:40630] AH03503: RemoteIPProxyProtocol: enabled on connection to 185.38.149.80:8080 2) Setting it manually to off still skips the content of RemoteIPInternalProxyList. 3) Still nothing is logged with trace1. And yes, RemoteIPInternalProxy has no issue, with IP specified in config, while RemoteIPInternalProxyList does not work. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #6 from Christophe JAILLET--- s/by/but/ -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #5 from Christophe JAILLET--- Created attachment 35817 --> https://bz.apache.org/bugzilla/attachment.cgi?id=35817=edit Patch for test Could you please try the attached patch. It is just for testing. It could explain why you have an issue with 2.4.33, but would not explain why RemoteIPInternalProxyList does not work by RemoteIPInternalProxy does -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #4 from smtalk--- Yes, the file has the IP address. We got reports from many servers, they all got broken after update to 2.4.33. I compiled 2.4.33 with mod_remoteip.c from https://github.com/apache/httpd/commit/b6855504e3273a92bde4a21fb573582faf16e381#diff-982de0fd2ba316e125a0dd58de12e74b to make sure it's the one which broke everything, if I take mod_remoteip.c one commit back and compile 2.4.33 with it - everything works as expected. We clearly have a bug. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 --- Comment #3 from Christophe JAILLET--- Strange. Basically 'RemoteIPInternalProxyList' is just a convenient way to call 'RemoteIPInternalProxy'. I suppose that you have already checked 'file.lst' itself? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 smtalkchanged: What|Removed |Added Status|NEEDINFO|NEW --- Comment #2 from smtalk --- Hm... Nothing seems to be there with it in error log. So, it returns nothing RemoteIPInternalProxyList. If I use "RemoteIPInternalProxy IP" instead of "RemoteIPInternalProxyList file.lst", then remoteip:trace1 logs the expected info. No info with just RemoteIPInternalProxyList file.lst. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 62220] RemoteIPInternalProxyList does not work after PROXY implementation
https://bz.apache.org/bugzilla/show_bug.cgi?id=62220 Christophe JAILLETchanged: What|Removed |Added Status|NEW |NEEDINFO --- Comment #1 from Christophe JAILLET --- Thanks for your report. Could you please provide logs with: LogLevel remoteip:trace1 (with the unmodified 2.4.33) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org