gnif / mod_rpaf

reverse proxy add forward module for Apache
199 stars 79 forks source link

mod_rpaf no longer resolves the right IPs for mod_status? #54

Closed archon810 closed 5 years ago

archon810 commented 6 years ago

Hello again,

I have recently upgraded from OpenSUSE 42.1 to 42.3, with which came a few changes to the software, namely Apache 2.4.16 -> 2.4.29 (but same issue happens with 2.4.23). mod_rpaf seems to be roughly the same - mod_rpaf-0.8.4~rc3. As far as I can tell, mod_status is part of Apache.

Before the upgrade, mod_rpaf was showing the right IPs in mod_status (server_name/server-status). After the upgrade, all I'm seeing is 127.0.0.1.

Here are 2 screenshots showing the differences. I checked the module loading order, and it seems to be the same - rpaf is listed first. What could be causing this?

Thank you.

2017-12-13_22-49-04 2017-12-13_22-50-18

gnif commented 6 years ago

Please share your mod_rpaf configuraiton.

archon810 commented 6 years ago

@gnif The configuration is based on https://github.com/gnif/mod_rpaf/issues/47#issuecomment-270316382.

Here it is:

# Enable setting of IPs if behind a proxy.
# Accept local and Cloudflare IPs.
<IfModule mod_rpaf.c>
    RPAF_Enable On
    RPAF_SetHostName On
    RPAF_ProxyIPs 127.0.0.1 ::1 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 199.27.128.0/21 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2c0f:f248::/32 2a06:98c0::/29
    RPAF_Header X-Forwarded-For
</IfModule>

The correct IP shows up in apache logs, so I know mod_rpaf is working there. The logs use this mod_log_config definition: LogFormat "%{REQUEST_SCHEME}x://%{Host}i %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{CF-Ray}i" proxy

AlbaroPereyra commented 6 years ago

I have a similar issue on FreeBSD a recent upgrade broke my set-up. I used to have the mod enabled in the httpd.conf file then I had a .conf file in the Includes folder with the following lines: RPAFenable On\nRPAFproxyips 10.0.0.10

I realized the upgrade created a file in modules.d named 200_mod_rpaf.conf I renamed this file to 200_mod_rpaf.conf.bak and reconfigured my original .conf file. It now looks like the following: \<IfModule mod_rpaf.c> # Enable reverse proxy add forward RPAF_Enable On # What IPs & bitmasked subnets to adjust requests for RPAF_Header X-Real-Ip RPAF_ProxyIPs 127.0.0.1 10.0.0.0/24 RPAF_SetHostName On RPAF_SetHTTPS On RPAF_SetPort On \<\/IfModule>

The problem is that the access log, logs the local ip 10.0.0.10 but, if I send a message through a Wordpress form it passes the clients public IP.

I am using the default Log format: LogFormat "%h %l %u %t \"%r\" %>s %b" common

Can you help me diagnose this problem?

What changed? or is it that my new config file is not the same as before?

Please advise,

renton- commented 6 years ago

@archon810 Try this patch

--- mod_rpaf.orig/mod_rpaf.c    2018-04-03 19:29:59.177354125 +0300
+++ mod_rpaf-1gb/mod_rpaf.c     2018-04-03 19:29:36.416814029 +0300
@@ -319,7 +319,11 @@
     apr_sockaddr_t *tmpsa;
     int ret = apr_sockaddr_info_get(&tmpsa, r->DEF_IP, APR_UNSPEC, tmpport, 0, tmppool);
     if (ret == APR_SUCCESS)
-        memcpy(r->DEF_ADDR, tmpsa, sizeof(apr_sockaddr_t));
+        #if AP_SERVER_MAJORVERSION_NUMBER >= 2 && AP_SERVER_MINORVERSION_NUMBER >= 4
+            r->DEF_ADDR = tmpsa;
+        #else
+            memcpy(r->DEF_ADDR, tmpsa, sizeof(apr_sockaddr_t));
+        #endif
     if (cfg->sethostname) {
         const char *hostvalue;
         if ((hostvalue = apr_table_get(r->headers_in, "X-Forwarded-Host")) ||
archon810 commented 6 years ago

@renton- Thanks for the patch, but I only use the repo-supplied (OpenSUSE) modules and apache, so I can't test this.

gnif commented 6 years ago

@renton this will have unintended side effects, when tmppool is destroyed the pointer you are assigning to DEF_ADDR will be freed and Apache will be left trying to access now invalid memory.

ironsteel commented 5 years ago

Hmm trying to figure out how to properly fix this and I'm a bit confused. I presume that the tmppool will be present for the life time of the request? If that's the case I don't think this is an issue.

Another way is to use the request's r->pool to guarantee that r->DEF_ADDR will be freed when the request_rec pool is destroyed?

@gnif Any suggestions?

gnif commented 5 years ago

I am sorry @ironsteel I no longer have any production servers running this module nor the time anymore to maintain it. I do highly suggest you see if mod_realip can suit your requirements and if not, perhaps ask the developers for the features you require.

AndreiG6 commented 5 years ago

you should probably add a "not for production use" disclaimer.

archon810 commented 5 years ago

The module seems to be called mod_remoteip http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html, and I've successfully migrated to it for my purposes. Now apache status shows the correct IPs again, so I'm going to remove mod_rpaf from my module list.

Thanks @gnif for the tip.