Apache 2.4 compatibility

[mpdude]

Currently, this module does not compile for Apache 2.4 - but I would like to see support for it! :+1:

mod_rpaf has a unique selling point, namely the ability to read the X-Forwarded-Port/X-Forwarded-Proto headers. That allows to use Amazon EC2's Elastic Load Balancers for transparent SSL termination: http://www.webfactory.de/blog/transparent-ssl-termination-on-amazon-elb-with-mod-rpaf

mod_remoteip seems to be the favored solution contained in the Apache core, but it is not capable of handling this setup.

Here are the API changes: http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html

The following patch at least allows me to compile the module, but I haven't yet had the possiblity to test it in any way...

diff --git a/mod_rpaf.c b/mod_rpaf.c
index 5ce4071..9973c2c 100644
--- a/mod_rpaf.c
+++ b/mod_rpaf.c
@@ -166,8 +166,8 @@ static int is_in_array(apr_pool_t *pool, const char *remote_ip, apr_array_header

 static apr_status_t rpaf_cleanup(void *data) {
     rpaf_cleanup_rec *rcr = (rpaf_cleanup_rec *)data;
-    rcr->r->connection->remote_ip = apr_pstrdup(rcr->r->connection->pool, rcr->old_ip);
-    rcr->r->connection->remote_addr->sa.sin.sin_addr.s_addr = apr_inet_addr(rcr->r->connection->remote_ip);
+    rcr->r->connection->client_ip = apr_pstrdup(rcr->r->connection->pool, rcr->old_ip);
+    rcr->r->connection->client_addr->sa.sin.sin_addr.s_addr = apr_inet_addr(rcr->r->connection->client_ip);
     return APR_SUCCESS;
 }

@@ -191,7 +191,7 @@ static int change_remote_ip(request_rec *r) {
     if (!cfg->enable)
         return DECLINED;

-    if (is_in_array(r->pool, r->connection->remote_ip, cfg->proxy_ips) == 1) {
+    if (is_in_array(r->pool, r->connection->client_ip, cfg->proxy_ips) == 1) {
         /* check if cfg->headername is set and if it is use
            that instead of X-Forwarded-For by default */
         if (cfg->headername && (fwdvalue = apr_table_get(r->headers_in, cfg->headername))) {
@@ -210,11 +210,11 @@ static int change_remote_ip(request_rec *r) {
                 if (*fwdvalue != '\0')
                     ++fwdvalue;
             }
-            rcr->old_ip = apr_pstrdup(r->connection->pool, r->connection->remote_ip);
+            rcr->old_ip = apr_pstrdup(r->connection->pool, r->connection->client_ip);
             rcr->r = r;
             apr_pool_cleanup_register(r->pool, (void *)rcr, rpaf_cleanup, apr_pool_cleanup_null);
-            r->connection->remote_ip = apr_pstrdup(r->connection->pool, last_not_in_array(r->pool, arr, cfg->proxy_ips));
-            r->connection->remote_addr->sa.sin.sin_addr.s_addr = apr_inet_addr(r->connection->remote_ip);
+            r->connection->client_ip = apr_pstrdup(r->connection->pool, last_not_in_array(r->pool, arr, cfg->proxy_ips));
+            r->connection->client_addr->sa.sin.sin_addr.s_addr = apr_inet_addr(r->connection->client_ip);

             if (cfg->sethostname) {
                 const char *hostvalue;

[joshboon]

As mpdude pointed out above the only change we have to make to support 2.4 is to move from remote* to client* and everything else is good to go. I've compiled it with the changes and have deployed it into my infrastructure as a replacement for mod_rpaf 0.6 provided from the repos. I'll keep an eye out but everything looks good at this point. If anyone doesn't want to mod themselves my fork over at https://github.com/joshboon/mod_rpaf has the 2.4 changes and is what I'm currently running.

[gnif]

Can you please make this a pull request, I will merge and test + fix anything broken if needed to get this into mod_rpaf. Thanks for the efforts in tracking this down.

[mpdude]

Here you go.

This is different from the patch above because there have been some refactorings in the mean time. I did not yet have the possibility to compile/test it.

Please note the following lines in the APache 2.4 changelog:

conn_rec->remote_ip and conn_rec->remote_addr These fields have been renamed in order to distinguish between the client IP address of the connection and the useragent IP address of the request (potentially overridden by a load balancer or proxy). References to either of these fields must be updated with one of the following options, as appropriate for the module: When you require the IP address of the user agent, which might be connected directly to the server, or might optionally be separated from the server by a transparent load balancer or proxy, use request_rec->useragent_ip and request_rec->useragent_addr. When you require the IP address of the client that is connected directly to the server, which might be the useragent or might be the load balancer or proxy itself, use conn_rec->client_ip and conn_rec->client_addr. -- http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html

This looks a bit like the Apache core now makes a difference between the proxy and the user agent itself. Not sure if that has more subtle implications for this module than a simple search and replace of a renamed struct element?

[mpdude]

Maybe we should have a branch/tag for the last working 2.2 version?

[gnif]

You should look at the source, it is still 2.2 compatible.