Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: remoteip_module not setting REMOTE_IP (linux) |
|
Author |
|
rossbcan
Joined: 15 Aug 2018 Posts: 8
|
Posted: Fri 12 Mar '21 16:27 Post subject: remoteip_module not setting REMOTE_IP (linux) |
|
|
httpd -v : Apache/2.4.6 (CentOS)
topology: nginx proxy -> apache/centos in VM
Using REMOTE_IP as part of auth process using custom php.
Updated apache from 2.2 (which successfully used mod_rpaf) to apache 2.4 which needs mod_remoteip
using this and many similar guides, some alleging that mod_remoteip is broken and suggesting mod_rpaf: https://stackoverflow.com/questions/2328225/how-to-set-remote-addr-in-apache-before-php-is-invoked
Nginx (proxy snippet):
Code: |
server_name redacted.org www.redacted.org;
location / {
proxy_set_header Host www.redacted.org:$server_port;
# Allow downstream sites to know who's connecting
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass $scheme://192.168.2.251:$server_port;
}
|
httpd.conf (server snippet)
Code: |
LoadModule authnz_external_module modules/mod_authnz_external.so
LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPInternalProxy 192.168.2.1 (nginx proxy IP)
RemoteIPHeader X-Forwarded-For
RemoteIPProxiesHeader X-Forwarded-By
|
Here is what I see in my php auth code:
Code: |
PHP Variables
Variable => Value
_SERVER["PATH"] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
_SERVER["AUTHTYPE"] => PASS
_SERVER["IP"] => 192.168.2.1 (address of nginx proxy)
_SERVER["URI"] => /Downloads/SecureOffice/r13710/packages_x86_64/Packages.gz
_SERVER["HTTP_HOST"] => www.redacted.org:443
_SERVER["PHP_SELF"] => /home/e-smith/files/ibays/rossco/license_server/download_auth.php
_SERVER["SCRIPT_NAME"] => /home/e-smith/files/ibays/rossco/license_server/download_auth.php
_SERVER["SCRIPT_FILENAME"] => /home/e-smith/files/ibays/rossco/license_server/download_auth.php
_SERVER["PATH_TRANSLATED"] => /home/e-smith/files/ibays/rossco/license_server/download_auth.php
_SERVER["DOCUMENT_ROOT"] =>
_SERVER["REQUEST_TIME_FLOAT"] => 1615558587.2557
_SERVER["REQUEST_TIME"] => 1615558587
_SERVER["argv"] => Array
(
[0] => /home/e-smith/files/ibays/rossco/license_server/download_auth.php
)
_SERVER["argc"] => 1
_ENV["PATH"] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
_ENV["AUTHTYPE"] => PASS
_ENV["IP"] => 192.168.2.1 (nginx proxy)
_ENV["URI"] => /Downloads/SecureOffice/r13710/packages_x86_64/Packages.gz
_ENV["HTTP_HOST"] => www.redacted.org:443
|
I am not seeing _ENV["REMOTE_IP"] and _ENV["IP"] is nginx proxy.
I am sure I am missing something simple. Throw me a bone?
Thanks;
Bill |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Fri 12 Mar '21 21:55 Post subject: |
|
|
Your config is missing
Code: |
RemoteIPProxyProtocol On
|
$_ENV? This should override $_SERVER["IP"] |
|
Back to top |
|
rossbcan
Joined: 15 Aug 2018 Posts: 8
|
Posted: Fri 12 Mar '21 23:56 Post subject: |
|
|
Thanks for trying...
This is driving me nuts because, according to docs should be working.
James Blond wrote: | Your config is missing
Code: |
RemoteIPProxyProtocol On
|
$_ENV? This should override $_SERVER["IP"] |
Not it, result...
"Invalid command 'RemoteIPProxyProtocol', perhaps misspelled or ...."
because: Compatibility: RemoteIPProxyProtocol is only available in httpd 2.4.31 and newer: https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipproxyprotocol
Server version: Apache/2.4.6 (CentOS) |
|
Back to top |
|
rossbcan
Joined: 15 Aug 2018 Posts: 8
|
Posted: Sat 13 Mar '21 17:55 Post subject: |
|
|
Further info:
Wireshark confirms Nginx header insertion
X-Real-IP: <redacted client ip>\r\n
X-Forwarded-For: <redacted client ip>\r\n
So, the issue is with mod_remoteip (perhaps apache version dependent) |
|
Back to top |
|
rossbcan
Joined: 15 Aug 2018 Posts: 8
|
Posted: Sat 13 Mar '21 21:19 Post subject: |
|
|
I am pretty sure there is a mod_remoteip bug, at least in apache-2.4.6.
There is a further anomoly that when apache log config is changed from %h (host) to %a (remote ip), when behind a proxy, correct client IP's are logged, which is part of mod_remoteip functionality.
What is not working is _ENV["IP"] as seen by php is the proxy as opposed to client IP address.
I replaced this module with mod_rpaf as a workaround
Instructions:
Code: |
# Use mod_rpaf instead
# yum install httpd-devel
# cd /usr/local/src
# wget https://github.com/y-ken/mod_rpaf/raw/master/mod_rpaf-2.0.c
# mv mod_rpaf-2.0.c mod_rpaf-2.4.c
# sed -i 's/remote_/client_/g' mod_rpaf-2.4.c
# apxs -c -n mod_rpaf-2.4.so mod_rpaf-2.4.c
# apxs -i -c -n mod_rpaf-2.4.so mod_rpaf-2.4.c
# To httpd.conf:
LoadModule rpaf_module modules/mod_rpaf-2.4.so
RPAFenable On
RPAFproxy_ips 192.168. 10.0.0. 127.0.0.1 ::1
RPAFheader X-Forwarded-For
RPAFsetHostname On
RPAFsethttps Off
RPAFsetport Off
|
|
|
Back to top |
|
|
|
|
|
|