diff options
author | Elan Ruusamäe <glen@delfi.ee> | 2007-02-19 21:05:59 +0000 |
---|---|---|
committer | Elan Ruusamäe <glen@delfi.ee> | 2007-02-19 21:05:59 +0000 |
commit | f68fd405f480b48e1dfdb894ea51368690c666ae (patch) | |
tree | 04a34c02129dc569e0d328126d754b1a6322da74 /doc | |
parent | e61146a7409017c3db6b28b4db0b4cc2d609436c (diff) | |
download | lighttpd-git-f68fd405f480b48e1dfdb894ea51368690c666ae.tar.gz |
- add mod_extforward module from wiki
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@1665 152afb58-edef-0310-8abb-c4023f1b3aa9
Diffstat (limited to 'doc')
-rw-r--r-- | doc/Makefile.am | 2 | ||||
-rw-r--r-- | doc/extforward.txt | 96 |
2 files changed, 98 insertions, 0 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am index 792ff222..6be113b2 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -6,6 +6,7 @@ authentication.txt \ cgi.txt \ compress.txt \ configuration.txt \ +extforward.txt \ fastcgi-state.txt \ fastcgi.txt \ features.txt \ @@ -43,6 +44,7 @@ HTMLDOCS=accesslog.html \ cgi.html \ compress.html \ configuration.html \ + extforward.html \ fastcgi-state.html \ fastcgi.html \ features.html \ diff --git a/doc/extforward.txt b/doc/extforward.txt new file mode 100644 index 00000000..af4f2a82 --- /dev/null +++ b/doc/extforward.txt @@ -0,0 +1,96 @@ +============== +mod_extforward +============== + +.. contents:: + +Overview +======== + +Comman Kang <comman.kang at gmail.com> sent me: :: + + Hello jan. + + I've made something rough but similar to mod_extract_forwarded for + Apache. This module will extract the client's "real" ip from + X-Forwarded-For header which is added by squid or other proxies. It might be + useful for servers behind reverse proxy servers. + + However, this module is causing segfault with mod_ssl or + $HTTP{''socket"} directive, crashing in config_check_cond while patching + connection , I do not understand architecture of the lighttpd well, does it + need to call patch_connection in either handle_request_done and + connection_reset ? + +Lionel Elie Mamane <lionel@mamane.lu> improved the patch: :: + + I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've + extended it. Here is the result. + + Major changes: + + - IPv6 support + + - Fixed at least one segfault with SERVER['socket'] + + - Arrange things so that a url.access-deny under scope of a + HTTP['remoteip'] condition works well :) + + I've commented the code in some places, mostly where I wasn't sure + what was going on, or I didn't see what the original author meant to + do. + +Options +======= + +extforward.forwarder + Sets trust level of proxy IP's. + + Default: empty + + Example: :: + + extforward.forwarder = ("10.0.0.232" => "trust") + + will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from X-Forwarded-For: HTTP request header. + +Note +======= + +The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions. +Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. +Things done in between these two moments will match on the real client's IP. +The moment things are done by a module depends on in which hook it does things and within the same hook +on whether they are before/after us in the module loading order +(order in the server.modules directive in the config file). + +Tested behaviours: + + mod_access: Will match on the real client. + + mod_accesslog: + In order to see the "real" ip address in access log , + you'll have to load mod_extforward after mod_accesslog. + like this: :: + + server.modules = ( + ..... + mod_accesslog, + mod_extforward + ) + +Samples +======= + +Trust proxy 10.0.0.232 and 10.0.0.232 :: + + extforward.forwarder = ( + "10.0.0.232" => "trust", + "10.0.0.233" => "trust", + ) + +Trust all proxies (NOT RECOMMENDED!) :: + + extforward.forwarder = ( "all" => "trust") + +Note that "all" has precedence over specific entries, so "all except" setups will not work. |