mod_rpaf

Sob · September 11, 2010, 06:34:25 PM

I have one tip for useful module for your collection on download page - mod_rpaf.

When I needed to share one IP address for multiple physical webservers, it was easily solved using proxy/load balancer. But I just hated the loss of real client addresses visible to webservers. Everything had proxy address as source. I could get the real addresses from X-Forwarded-For header in php, but that wasn't solution for other things like mod_geoip or httpd logs. "Someone must have already solved this" I though and I was right.

Source can be found at http://stderr.net/apache/rpaf/

And compilation is quick and easy:

Code Select

cl.exe /MD /W3 /O2 /D WIN32 /D NDEBUG -I"c:\Apache22\include" -c mod_rpaf-2.0.c
link.exe /dll /machine:AMD64 /OUT:mod_rpaf.so /libpath:"c:\Apache22\lib" mod_rpaf-2.0.obj libapr-1.lib libhttpd.lib ws2_32.lib

I used 32-bit version without any problems for about six months and now 64-bit version for about two weeks.

I wasn't able to find Windows x64 binary anywhere, Apache Haus can be first if you want.

Gregg · September 12, 2010, 07:36:29 PM

I'm game, I'm just trying to understand how to configure it since I will have to show a sample config in the readme to put with it, over and above what I'm seeing on that page.

I guess I could play with a win32 build with one domain since I do have the Atom with 2.3.8 on it exposed, as well as my server. Unfortunately I would want to use it as the front end and I have had no luck getting any 3rd party module to load on the alpha.

@Mario, thoughts?

Sob · September 12, 2010, 09:47:19 PM

You just load the module into backend server and configuration is very easy:

RPAFenable On/Off - No description necessary.
RPAFproxy_ips a.a.a.a b.b.b.b c.c.c.c - IP(s) of proxy servers sending the requests, client IP will be rewritten only for requests coming from these IPs, not for others, because headers from elsewhere could be forged.
RPAFheader X-Forwarded-For - Name of header to take the client IP from.
RPAFsethostname On/Off - If enabled, it will set the Host header of the request to value from X-Forwarded-Host or X-Host header. It must be enabled if backend server is configured for virtual hosts and real hostnames that clients request and proxy does not just pass Host header. I use Pound (http://www.apsis.ch/pound/) and it doesn't need it, because it passes Host header from client request. If I understand it correctly (I didn't test it), it's needed for proxies created using mod_proxy, because they send address/hostname of configured backend server in Host header and hostname requested by client is in X-Forwarded-Host or X-Host depending on version.

Sob · September 12, 2010, 10:43:27 PM

And btw, I just tried the module with your 2.3.8-alpha x64 and it seems to work fine.

mario · September 13, 2010, 11:00:14 AM

Quote from: Gregg on September 12, 2010, 07:36:29 PM

@Mario, thoughts?

Well I can try on my w2k8r2 server. I gonna play with it a bit.
_____________________________
Update:

So this works mostly like a proxy chain??

client<---->apache_with_rpaf<---->real_proxy

Is that correct?

mario · September 13, 2010, 11:16:32 AM

Building went very smooth

But I added

Code Select


MT -manifest mod_rpaf.so.manifest -outputresource:mod_rpaf.so;2

My test config wil be

Code Select


LoadModule rpaf_module modules/mod_rpaf.so

<IfModule mod_rpaf.c>
    RPAFenable On
    RPAFproxy_ips 192.168.178.1
</IfModule>

Sob · September 13, 2010, 01:59:16 PM

Quote from: mario on September 13, 2010, 11:00:14 AMSo this works mostly like a proxy chain??

Nope.

client <----> proxy/balancer <----> backend server with apache and rpaf

Without rpaf, backend server sees all connections coming from proxy's IP. With rpaf enabled and proxy's IP in RPAFproxy_ips, connections appear to come directly from client IP's, as if proxy wasn't there at all.

Gregg · September 13, 2010, 06:56:12 PM

Oh it goes on the backend, ok. I thought it went on frontend. Thanks for clarifying.

mario · October 04, 2010, 11:52:51 AM

As 64 bit version mod_rpaf is now on the download page.

----- edit ---
also added 32 bit version.

Gregg · October 04, 2010, 06:52:27 PM

Thanks Mario

mario · December 14, 2011, 11:01:13 AM

Gregg did you try to compile it against apache 2.4?

Gregg · December 15, 2011, 01:17:13 AM

No, there's been some developments between 2.3.15 & 2.4.now that has broken a lot of modules. It's fixable but messy. Why, are you trying and getting an error on the lines of "remote_ip is not part of conn_rec (or remote_addr/request_req)"?

http://marc.info/?l=apache-httpd-dev&m=132223067705331&w=2

Want to have some real fun, try building mod_security

Gregg · December 17, 2011, 12:47:36 AM

Well, I built one against 2.3.16 so I will include it in the 2.3.16 packages when I get them done.
It loads, but that is as far as I have tested it.

mario · December 17, 2011, 09:45:56 PM

Good to know that it works! Or at least loads.

Speaking of 2.4 coming.... all these new mods like firehorse. Will be intressting

Gregg · December 17, 2011, 10:21:50 PM

not sure firehose, , mod_policy or mod_combine will make 2.4.0, I think they'll get added eventually during the 2.4 lifetime. I like the sound of mod_combine