Apache-ForwardedFor
view release on metacpan or search on metacpan
Transfer X-Forwarded-For or Forwarded-For header to the remote_ip so requests will have the original client's IP when running behind a reverse proxy server.
lib/Apache/ForwardedFor.pm view on Meta::CPAN
# $TRACE = 1;
}
use Apache::Constants qw(DECLINED);
sub handler {
my $r = shift;
my $fwd_ips = $r->header_in('X-Forwarded-For');
# $TRACE && warn(__PACKAGE__." bypassed - no X-Forward-For header") and
return DECLINED unless $fwd_ips;
# warn(__PACKAGE__." X-Forwarded-For header: $fwd_ips") if $TRACE;
# Block based on Remove / Add AcceptForwarder values
my %deny =map { $_ => 1 } $r->dir_config->get('ForwardedForDeny');
if (exists $deny{$r->connection->remote_ip}) {
# warn(__PACKAGE__." handling for IP ".$r->connection->remote_ip." refused by RemoveAcceptForwarder directive") if $TRACE;
return DECLINED;
}
my %accept=map { $_ => 1 } $r->dir_config->get('ForwardedForAccept');
if (!exists $accept{$r->connection->remote_ip} && keys %accept) {
lib/Apache/ForwardedFor.pm view on Meta::CPAN
# Return declined to continue handling at this phase...
DECLINED;
}
=head1 NAME
Apache::ForwardedFor - Re-set remote_ip to incoming client's ip when running mod_perl behind a reverse proxy server.
In other words, copy the first IP from B<X-Forwarded-For> header, which was set by your reverse proxy server,
to the B<remote_ip> connection property.
=head1 SYNOPSIS
in httpd.conf
PerlModule Apache::ForwardedFor
PerlPostReadRequestHandler Apache::ForwardedFor
PerlSetVar ForwardedForAccept 192.168.1.1
lib/Apache/ForwardedFor.pm view on Meta::CPAN
After:
+--------+ +-------------+ +----------------+
| Client | <-> | httpd/proxy | <-> | httpd/mod_perl |
+--------+ +-------------+ +----------------+
My IP My IP My IP
2.3.4.5 2.9.1.2 192.168.1.2
remote_ip remote_ip
2.3.4.5 2.3.4.5
This program takes advantage of the existance of the X-Forwarded-For
or header which is automatically added by software such as mod_proxy and Squid.
Obviously you can imagine that if a savvy user sets their own X-Forwarded-For
header that they could potentially be considered coming from a trusted
IP.
To ensure some measure of security: 1 - make sure you can trust the
httpd/proxy machine (ie/ its in your organization); 2 - set this module to
accept X-Forwarded-For headers only from this machine.
From my understanding of the X-Forwarded-For header - each proxy server
will prepend the remote_ip to this header. That means that if the request passes
through several proxies we want to pick up only the last proxy's change - which
is the first IP found in this header.
=head1 USAGE
At this time you simply need to load the module and add it to the
PerlPostReadRequestHandler phase of your mod_perl-enabled httpd.
=head1 APACHE CONFIGURATION
lib/Apache/ForwardedFor.pm view on Meta::CPAN
B<N.B.> - if you specify both Accept and Deny items then you effectively
follow the logic of Deny first, then Accept afterwards. This is virtually
pointless but will be more useful when/if netblock support is added.
=head1 BUGS
Please report your bugs and suggestions for improvement to
info@infonium.com ... For faster service please in
clude "Apache::ForwardedFor" and "bug" in your subject line.
I have not yet found written documentation on the usage of the X-Forwarded-For
header. My implementation assumes that the first IP in the incoming header
is for your (the most recent) proxy server.
=head1 SUPPORT
For technical support please email to
info@infonium.com ... for faster service please in
clude "Apache::ForwardedFrom" and "help" in your subject line.
=head1 AUTHOR
( run in 0.278 second using v1.01-cache-2.11-cpan-26ccb49234f )