- add mod_extforward module from wiki

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@1665 152afb58-edef-0310-8abb-c4023f1b3aa9

2 files changed, 98 insertions, 0 deletions

diff --git a/doc/Makefile.am b/doc/Makefile.am
index 792ff222..6be113b2 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -6,6 +6,7 @@ authentication.txt \
 cgi.txt \
 compress.txt \
 configuration.txt \
+extforward.txt \
 fastcgi-state.txt \
 fastcgi.txt \
 features.txt \
@@ -43,6 +44,7 @@ HTMLDOCS=accesslog.html \
 	 cgi.html \
 	 compress.html \
 	 configuration.html \
+	 extforward.html \
 	 fastcgi-state.html \
 	 fastcgi.html \
 	 features.html \
diff --git a/doc/extforward.txt b/doc/extforward.txt
new file mode 100644
index 00000000..af4f2a82
--- /dev/null
+++ b/doc/extforward.txt
@@ -0,0 +1,96 @@
+==============
+mod_extforward
+==============
+
+.. contents::
+
+Overview
+========
+
+Comman Kang <comman.kang at gmail.com> sent me: ::
+
+  Hello jan.
+
+       I've made something rough but similar to mod_extract_forwarded for
+  Apache.  This module will extract the client's "real" ip from
+  X-Forwarded-For header which is added by squid or other proxies. It might be
+  useful for servers behind reverse proxy servers.
+
+       However, this module is causing segfault with mod_ssl or
+  $HTTP{''socket"} directive,  crashing in config_check_cond while patching
+  connection ,  I do not understand architecture of the lighttpd well, does it
+  need to call patch_connection in either handle_request_done and
+  connection_reset ?
+
+Lionel Elie Mamane <lionel@mamane.lu> improved the patch: ::
+
+    I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've
+  extended it. Here is the result.
+
+  Major changes:
+
+   - IPv6 support
+
+   - Fixed at least one segfault with SERVER['socket']
+
+   - Arrange things so that a url.access-deny under scope of a
+     HTTP['remoteip'] condition works well :)
+
+  I've commented the code in some places, mostly where I wasn't sure
+  what was going on, or I didn't see what the original author meant to
+  do.
+
+Options
+=======
+
+extforward.forwarder
+  Sets trust level of proxy IP's.
+
+  Default: empty
+
+  Example: ::
+    
+    extforward.forwarder = ("10.0.0.232" => "trust")
+
+  will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from X-Forwarded-For: HTTP request header.
+
+Note
+=======
+
+The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions.
+Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
+Things done in between these two moments will match on the real client's IP.
+The moment things are done by a module depends on in which hook it does things and within the same hook
+on whether they are before/after us in the module loading order
+(order in the server.modules directive in the config file).
+
+Tested behaviours:
+
+  mod_access: Will match on the real client.
+
+  mod_accesslog:
+   In order to see the "real" ip address in access log ,
+   you'll have to load mod_extforward after mod_accesslog.
+   like this: ::
+
+    server.modules  = (
+       .....
+       mod_accesslog,
+       mod_extforward
+    )
+
+Samples
+=======
+
+Trust proxy 10.0.0.232 and 10.0.0.232 ::
+
+  extforward.forwarder = (
+     "10.0.0.232" => "trust",
+     "10.0.0.233" => "trust",
+  )
+
+Trust all proxies  (NOT RECOMMENDED!) ::
+
+  extforward.forwarder = ( "all" => "trust")
+
+Note that "all" has precedence over specific entries, so "all except" setups will not work.