xref: /lighttpd1.4/doc/outdated/extforward.txt (revision 960d34c7) 
1==============
2mod_extforward
3==============
4
5.. contents::
6
7Overview
8========
9
10Comman Kang <comman.kang at gmail.com> sent me: ::
11
12  Hello jan.
13
14       I've made something rough but similar to mod_extract_forwarded for
15  Apache.  This module will extract the client's "real" ip from
16  X-Forwarded-For header which is added by squid or other proxies. It might be
17  useful for servers behind reverse proxy servers.
18
19       However, this module is causing segfault with mod_ssl or
20  $HTTP{''socket"} directive,  crashing in config_check_cond while patching
21  connection ,  I do not understand architecture of the lighttpd well, does it
22  need to call patch_connection in either handle_request_done and
23  connection_reset ?
24
25Lionel Elie Mamane <[email protected]> improved the patch: ::
26
27    I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've
28  extended it. Here is the result.
29
30  Major changes:
31
32   - IPv6 support
33
34   - Fixed at least one segfault with SERVER['socket']
35
36   - Arrange things so that a url.access-deny under scope of a
37     HTTP['remoteip'] condition works well :)
38
39  I've commented the code in some places, mostly where I wasn't sure
40  what was going on, or I didn't see what the original author meant to
41  do.
42
43Options
44=======
45
46extforward.forwarder
47  Sets trust level of proxy IP's.
48
49  Default: empty
50
51  Example: ::
52
53    extforward.forwarder = ("10.0.0.232" => "trust")
54
55  will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from "X-Forwarded-For" or "Forwarded-For" HTTP request header.
56
57extforward.headers
58  Sets headers to search for finding the originl addresses.
59
60  Example (for use with a Zeus ZXTM loadbalancer): ::
61
62    extforward.headers = ("X-Cluster-Client-Ip")
63
64  Default: empty, results in searching for "X-Forwarded-For" and "Forwarded-For"
65
66Note
67=======
68
69The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions.
70Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
71Things done in between these two moments will match on the real client's IP.
72The moment things are done by a module depends on in which hook it does things and within the same hook
73on whether they are before/after us in the module loading order
74(order in the server.modules directive in the config file).
75
76Tested behaviours:
77
78  mod_access: Will match on the real client.
79
80  mod_accesslog:
81   In order to see the "real" ip address in access log ,
82   you'll have to load mod_extforward after mod_accesslog.
83   like this: ::
84
85    server.modules  = (
86       .....
87       mod_accesslog,
88       mod_extforward
89    )
90
91Samples
92=======
93
94Trust proxy 10.0.0.232 and 10.0.0.232 ::
95
96  extforward.forwarder = (
97     "10.0.0.232" => "trust",
98     "10.0.0.233" => "trust",
99  )
100
101Trust all proxies  (NOT RECOMMENDED!) ::
102
103  extforward.forwarder = ( "all" => "trust")
104
105Note that "all" has precedence over specific entries, so "all except" setups will not work.
106