logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: remoteip_module not setting REMOTE_IP (linux)
Author
rossbcan



Joined: 15 Aug 2018
Posts: 8

PostPosted: Fri 12 Mar '21 16:27    Post subject: remoteip_module not setting REMOTE_IP (linux) Reply with quote

httpd -v : Apache/2.4.6 (CentOS)

topology: nginx proxy -> apache/centos in VM

Using REMOTE_IP as part of auth process using custom php.
Updated apache from 2.2 (which successfully used mod_rpaf) to apache 2.4 which needs mod_remoteip

using this and many similar guides, some alleging that mod_remoteip is broken and suggesting mod_rpaf: https://stackoverflow.com/questions/2328225/how-to-set-remote-addr-in-apache-before-php-is-invoked

Nginx (proxy snippet):

Code:

        server_name     redacted.org www.redacted.org;
        location / {
                proxy_set_header Host www.redacted.org:$server_port;
                # Allow downstream sites to know who's connecting
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header  X-Forwarded-For $remote_addr;
                proxy_pass $scheme://192.168.2.251:$server_port;
        }


httpd.conf (server snippet)
Code:

LoadModule authnz_external_module modules/mod_authnz_external.so
LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPInternalProxy 192.168.2.1 (nginx proxy IP)
RemoteIPHeader X-Forwarded-For
RemoteIPProxiesHeader X-Forwarded-By


Here is what I see in my php auth code:

Code:

PHP Variables

Variable => Value
_SERVER["PATH"] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
_SERVER["AUTHTYPE"] => PASS
_SERVER["IP"] => 192.168.2.1 (address of nginx proxy)
_SERVER["URI"] => /Downloads/SecureOffice/r13710/packages_x86_64/Packages.gz
_SERVER["HTTP_HOST"] => www.redacted.org:443
_SERVER["PHP_SELF"] => /home/e-smith/files/ibays/rossco/license_server/download_auth.php
_SERVER["SCRIPT_NAME"] => /home/e-smith/files/ibays/rossco/license_server/download_auth.php
_SERVER["SCRIPT_FILENAME"] => /home/e-smith/files/ibays/rossco/license_server/download_auth.php
_SERVER["PATH_TRANSLATED"] => /home/e-smith/files/ibays/rossco/license_server/download_auth.php
_SERVER["DOCUMENT_ROOT"] =>
_SERVER["REQUEST_TIME_FLOAT"] => 1615558587.2557
_SERVER["REQUEST_TIME"] => 1615558587
_SERVER["argv"] => Array
(
    [0] => /home/e-smith/files/ibays/rossco/license_server/download_auth.php
)

_SERVER["argc"] => 1
_ENV["PATH"] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
_ENV["AUTHTYPE"] => PASS
_ENV["IP"] => 192.168.2.1 (nginx proxy)
_ENV["URI"] => /Downloads/SecureOffice/r13710/packages_x86_64/Packages.gz
_ENV["HTTP_HOST"] => www.redacted.org:443


I am not seeing _ENV["REMOTE_IP"] and _ENV["IP"] is nginx proxy.

I am sure I am missing something simple. Throw me a bone?

Thanks;
Bill
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6921
Location: Germany, Next to Hamburg

PostPosted: Fri 12 Mar '21 21:55    Post subject: Reply with quote

Your config is missing

Code:

RemoteIPProxyProtocol On


$_ENV? This should override $_SERVER["IP"]
Back to top
rossbcan



Joined: 15 Aug 2018
Posts: 8

PostPosted: Fri 12 Mar '21 23:56    Post subject: Reply with quote

Thanks for trying...
This is driving me nuts because, according to docs should be working.
James Blond wrote:
Your config is missing

Code:

RemoteIPProxyProtocol On


$_ENV? This should override $_SERVER["IP"]


Not it, result...
"Invalid command 'RemoteIPProxyProtocol', perhaps misspelled or ...."

because: Compatibility: RemoteIPProxyProtocol is only available in httpd 2.4.31 and newer: https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipproxyprotocol

Server version: Apache/2.4.6 (CentOS)
Back to top
rossbcan



Joined: 15 Aug 2018
Posts: 8

PostPosted: Sat 13 Mar '21 17:55    Post subject: Reply with quote

Further info:

Wireshark confirms Nginx header insertion
X-Real-IP: <redacted client ip>\r\n
X-Forwarded-For: <redacted client ip>\r\n

So, the issue is with mod_remoteip (perhaps apache version dependent)
Back to top
rossbcan



Joined: 15 Aug 2018
Posts: 8

PostPosted: Sat 13 Mar '21 21:19    Post subject: Reply with quote

I am pretty sure there is a mod_remoteip bug, at least in apache-2.4.6.

There is a further anomoly that when apache log config is changed from %h (host) to %a (remote ip), when behind a proxy, correct client IP's are logged, which is part of mod_remoteip functionality.

What is not working is _ENV["IP"] as seen by php is the proxy as opposed to client IP address.

I replaced this module with mod_rpaf as a workaround

Instructions:
Code:

# Use mod_rpaf instead
# yum install httpd-devel
# cd /usr/local/src
# wget https://github.com/y-ken/mod_rpaf/raw/master/mod_rpaf-2.0.c
# mv mod_rpaf-2.0.c mod_rpaf-2.4.c
# sed -i 's/remote_/client_/g' mod_rpaf-2.4.c
# apxs -c -n mod_rpaf-2.4.so mod_rpaf-2.4.c
# apxs -i -c -n mod_rpaf-2.4.so mod_rpaf-2.4.c
# To httpd.conf:
LoadModule       rpaf_module modules/mod_rpaf-2.4.so
RPAFenable       On
RPAFproxy_ips    192.168. 10.0.0. 127.0.0.1 ::1
RPAFheader       X-Forwarded-For
RPAFsetHostname  On
RPAFsethttps     Off
RPAFsetport      Off
Back to top


Reply to topic   Topic: remoteip_module not setting REMOTE_IP (linux) View previous topic :: View next topic
Post new topic   Forum Index -> Apache