I have one tip for useful module for your collection on download page - mod_rpaf.
When I needed to share one IP address for multiple physical webservers, it was easily solved using proxy/load balancer. But I just hated the loss of real client addresses visible to webservers. Everything had proxy address as source. I could get the real addresses from X-Forwarded-For header in php, but that wasn't solution for other things like mod_geoip or httpd logs. "Someone must have already solved this" I though and I was right.
Source can be found at http://stderr.net/apache/rpaf/
And compilation is quick and easy:
cl.exe /MD /W3 /O2 /D WIN32 /D NDEBUG -I"c:\Apache22\include" -c mod_rpaf-2.0.c
link.exe /dll /machine:AMD64 /OUT:mod_rpaf.so /libpath:"c:\Apache22\lib" mod_rpaf-2.0.obj libapr-1.lib libhttpd.lib ws2_32.lib
I used 32-bit version without any problems for about six months and now 64-bit version for about two weeks.
I wasn't able to find Windows x64 binary anywhere, Apache Haus can be first if you want. :)
I'm game, I'm just trying to understand how to configure it since I will have to show a sample config in the readme to put with it, over and above what I'm seeing on that page.
I guess I could play with a win32 build with one domain since I do have the Atom with 2.3.8 on it exposed, as well as my server. Unfortunately I would want to use it as the front end and I have had no luck getting any 3rd party module to load on the alpha.
@Mario, thoughts?
You just load the module into backend server and configuration is very easy:
RPAFenable On/Off - No description necessary.
RPAFproxy_ips a.a.a.a b.b.b.b c.c.c.c - IP(s) of proxy servers sending the requests, client IP will be rewritten only for requests coming from these IPs, not for others, because headers from elsewhere could be forged.
RPAFheader X-Forwarded-For - Name of header to take the client IP from.
RPAFsethostname On/Off - If enabled, it will set the Host header of the request to value from X-Forwarded-Host or X-Host header. It must be enabled if backend server is configured for virtual hosts and real hostnames that clients request and proxy does not just pass Host header. I use Pound (http://www.apsis.ch/pound/) and it doesn't need it, because it passes Host header from client request. If I understand it correctly (I didn't test it), it's needed for proxies created using mod_proxy, because they send address/hostname of configured backend server in Host header and hostname requested by client is in X-Forwarded-Host or X-Host depending on version.
And btw, I just tried the module with your 2.3.8-alpha x64 and it seems to work fine.
Quote from: Gregg on September 12, 2010, 07:36:29 PM
@Mario, thoughts?
Well I can try on my w2k8r2 server. I gonna play with it a bit.
_____________________________
Update:
So this works mostly like a proxy chain??
client<---->apache_with_rpaf<---->real_proxy
Is that correct?
Building went very smooth :)
But I added
MT -manifest mod_rpaf.so.manifest -outputresource:mod_rpaf.so;2
My test config wil be
LoadModule rpaf_module modules/mod_rpaf.so
<IfModule mod_rpaf.c>
RPAFenable On
RPAFproxy_ips 192.168.178.1
</IfModule>
Quote from: mario on September 13, 2010, 11:00:14 AMSo this works mostly like a proxy chain??
Nope.
client <----> proxy/balancer <----> backend server with apache and rpaf
Without rpaf, backend server sees all connections coming from proxy's IP. With rpaf enabled and proxy's IP in RPAFproxy_ips, connections appear to come directly from client IP's, as if proxy wasn't there at all.
Oh it goes on the backend, ok. I thought it went on frontend. Thanks for clarifying.
As 64 bit version mod_rpaf is now on the download page.
----- edit ---
also added 32 bit version.
Thanks Mario
Gregg did you try to compile it against apache 2.4?
No, there's been some developments between 2.3.15 & 2.4.now that has broken a lot of modules. It's fixable but messy. Why, are you trying and getting an error on the lines of "remote_ip is not part of conn_rec (or remote_addr/request_req)"?
http://marc.info/?l=apache-httpd-dev&m=132223067705331&w=2
Want to have some real fun, try building mod_security :o
Well, I built one against 2.3.16 so I will include it in the 2.3.16 packages when I get them done.
It loads, but that is as far as I have tested it.
Good to know that it works! Or at least loads.
Speaking of 2.4 coming.... all these new mods like firehorse. Will be intressting
not sure firehose, , mod_policy or mod_combine will make 2.4.0, I think they'll get added eventually during the 2.4 lifetime. I like the sound of mod_combine
Good day all,
I am sorry to dredge up an old topic but this seems like the best choice for my situation. I need a solution to reveal the client remote_addr after proxy server has handed it back to apache and I think this may work. However, I downloaded the prebuilt modules and apache 2.2.22 will not start with it enabled. May I have some help with this? or a new build? I tried building it on my own machine but I am not a developer or really that smart.
Server 2008 R2 Enterprise(X64), Apache 2.2.22 w/ openssl .98. I greatly would appreciate any assistance and thank you!
it might be the issue that you use apache from apache.org and try to load the module from our page?
Since we use a newer compiler than apache.org modules from use won't load into apache from apache.org
That could be, I suppose I am a bit SOL then? I will try to build on a linux machine that has apache, perhaps that will be a proof enough concept to switch over.
Thanks :)
Nope, you can just download apache from our page and use the module. Easier than building it yourself.
You can use your existing config. just replace the binaries.
Spiffy, Thank you Mario. That did work.
Is it possible to force mod_rpaf or apache to only use ipv4 and not ipv6? I just hosed our application :)
mod_rpaf can't do that. But apache can. Change the Listen 80 to __YOUR_IPv4__:80 than the client has to connect via IPv4 (AFAIK).