lpalgarvio / mod-auth-external

Automatically exported from code.google.com/p/mod-auth-external
0 stars 0 forks source link

Modification to allow an loadbalancer between browser and server #12

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Currently if a loadbalancer is present the servers IP is sent and processed, 
which of course makes no sense whatsever. In the loadbalancer sends the 
X_FORWARDED_FOR header the authnz_external cannot handle it though. I wrote a 
small patch which sends the X_FORWADED_FOR header to the client in the PROXY 
environment variable

Here's the diff:

diff mod_authnz_external-3.2.6-new/mod_authnz_external.c 
mod_authnz_external-3.2.6/mod_authnz_external.c
100d99
< #define ENV_PROXY "PROXY"
438c437
<     char *child_env[13];

---
>     char *child_env[12];
461c460
<   const char *cookie, *host, *remote_host, *proxy;

---
>   const char *cookie, *host, *remote_host;
498,499d496
< if ((proxy= apr_table_get(r->headers_in, "X-Forwarded-For")) != NULL)
<       child_env[i++]= apr_pstrcat(p, ENV_PROXY"=", proxy, NULL);

Original issue reported on code.google.com by rogier.s...@gmail.com on 19 Aug 2013 at 1:41

GoogleCodeExporter commented 9 years ago
This is a sound idea. I've added a version of it to the version in svn, and it 
will be included in the next release.

The one change I made is to the name. The "X-Forwarded-For" header gives a 
comma-separated list of the servers the request was forwarded to.  The first 
one will be the original client, the rest will be proxies it passed through 
before reaching the proxy whose IP is given in the IP environment variable. 
Most commonly it will be used to get the first IP address, which is the 
original client IP, not a proxy. So calling the variable PROXY seems confusing. 
I called it FORWARDS instead, plural as a reminder that this is, in general, 
going to be a list of IPs, not just a single IP.

Anyway, thanks for the contribution.

Original comment by j...@unixpapa.com on 11 Dec 2013 at 7:14

GoogleCodeExporter commented 9 years ago
Issue 13 has been merged into this issue.

Original comment by j...@unixpapa.com on 11 Dec 2013 at 7:16

GoogleCodeExporter commented 9 years ago

Original comment by j...@unixpapa.com on 11 Dec 2013 at 7:25

GoogleCodeExporter commented 9 years ago
Actually, on second thought, I think that making the IP environment variable 
always return the client IP is better.  No authenticator will ever really want 
to know the whole chain of forwards.

So this change is out again.

Original comment by j...@unixpapa.com on 11 Dec 2013 at 7:42