mod_remoteip.xml revision 2d391792b33e3c27e070739f74d74989c77fea8e
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi<!-- $LastChangedRevision$ -->
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi Licensed to the Apache Software Foundation (ASF) under one or more
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi contributor license agreements. See the NOTICE file distributed with
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi this work for additional information regarding copyright ownership.
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi The ASF licenses this file to You under the Apache License, Version 2.0
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi (the "License"); you may not use this file except in compliance with
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi the License. You may obtain a copy of the License at
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi Unless required by applicable law or agreed to in writing, software
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi distributed under the License is distributed on an "AS IS" BASIS,
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi See the License for the specific language governing permissions and
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi limitations under the License.
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi<description>Replaces the original peer IP address for the connection
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomiwith the client IP address list presented by a proxies or a load balancer
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomivia the request headers.
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen</description>
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi <p>This module is used to treat the client which initiated the
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen request as the originating client as identified by httpd for the
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen purposes of authorization and logging, even where that client is
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen behind a load balancer, front end server, or proxy server.</p>
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen <p>The module overrides the peer IP address for the connection
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen with the client IP address reported in the request header configured
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen with the <directive>RemoteIPHeader</directive> directive.</p>
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen <p>Once replaced as instructed, this overridden client IP address is
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen then used for the <module>mod_authz_host</module>
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen <directive module="mod_authz_host" type="section">Require ip</directive>
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen feature, is reported by <module>mod_status</module>, and is recorded by
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen <module>mod_log_config</module> <code>%a</code> and <module>core</module>
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen <code>%a</code> format strings. The underlying peer IP of the connection
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen is available in the <code>%{c}a</code> format string.</p>
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen <note type="warning">It is critical to only enable this behavior from
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen intermediate hosts (proxies, etc) which are trusted by this server, since
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen it is trivial for the remote client to impersonate another client.</note>
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen<seealso><module>mod_authz_host</module></seealso>
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi<section id="processing"><title>Remote IP Processing</title>
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi <p>Apache by default identifies the client with the connection's
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi peer_ip value, and the connection remote_host and remote_logname are
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi derived from this value. These fields play a role in authentication,
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi authorization and logging and other purposes by other loadable
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi modules.</p>
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi <p>mod_remoteip overrides the peer IP of the connection with the
6ce52edd3de46bdf565ee71f6112a9e7a6090031Timo Sirainen advertised client IP as provided by a proxy or load balancer, for
6ce52edd3de46bdf565ee71f6112a9e7a6090031Timo Sirainen the duration of the request. A load balancer might establish a long
6ce52edd3de46bdf565ee71f6112a9e7a6090031Timo Sirainen lived keepalive connection with the server, and each request will
6ce52edd3de46bdf565ee71f6112a9e7a6090031Timo Sirainen have the correct client IP, even though the underlying peer IP
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi address of the load balancer remains unchanged.</p>
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi <p>When multiple, comma delimited client IP addresses are listed in the
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi header value, they are processed in Right-to-Left order. Processing
987c15a5980f53225e60f79325c14cb2acddaabbTimo Sirainen halts when a given client IP address is not trusted to present the
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi preceding IP address. The header field is updated to this remaining
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi list of unconfirmed IP addresses, or if all IP addresses were trusted,
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi this header is removed from the request altogether.</p>
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi <p>In overriding the client IP, the module stores the list of intermediate
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi hosts in a remoteip-proxy-ip-list note, which <module>mod_log_config</module>
26e7bc65f13482709c0f6216650582e7705eeeffAki Tuomi can record using the <code>%{remoteip-proxy-ip-list}n</code> format token.
<description>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</description>
<syntax>RemoteIPInternalProxy <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> ...</syntax>
RemoteIPTrustedProxy gateway.localdomain
<description>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</description>
gateway.localdomain #The front end balancer
<description>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</description>
<syntax>RemoteIPTrustedProxy <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> ...</syntax>
RemoteIPTrustedProxy proxy.example.com
<description>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</description>
proxy.isp.example.com #some well known ISP