gnif / mod_rpaf Goto Github PK

There is no yada package available on ubuntu 14.04.

I have to download and install the package as provided in this commit: https://github.com/gnif/mod_rpaf/blob/55c8b1d8d38dbffd474c6e0f77892d083fc2a42d/README.md

Is there a reason, why you've removed this line with commit a662b75 ?

Unless i set a specific loadbalancer ip in the config file via:
RPAFproxy_ips
The resolved ip is always the ip of the loadbalancer even though it's in the proper 10.x.x.x subnet.
After adding the ip of the loadbalancer directly (without a subnet mask) the logfile shows the proper external ip.

We got configs (frontend revers proxy (mostly nginx or haproxy) + apache2.4 +mod_rpaf + php-fpm 5.5) like:

<VirtualHost *:80>
DocumentRoot /www/sitename.ru
ServerName sitename.ru
ServerAlias www.sitename.ru
RequestHeader set X-RESELLER "24224234"
RequestHeader set X-SITE-FOLDER "sitename.ru"
CustomLog /var/log/apache/sitename.ru_access_log combined
ErrorLog /var/log/apache/sitename.ru_error_log

ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9061/www/sitename.ru/$1

<Directory /www/sitename.ru>
    Options -Indexes
    Options FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

The php-fpm config is default, except listen port.

We see proper/traslated IP address in apache logs, but php $SERVER[REMOTE_ADDR] is address of reverse proxy host (our lan ip from 10.._.*) .

Please help to resolve this problem.

When using

RPAF_SetHTTPS           Off

Everything is fine, but if I enable it. Some connection are ok, and soon, ip address is no longer replaced with the real ip. I have to wait some seconds, then it works again and immediately fails again.
When it fails, i checked in php, I have :
_SERVER["REMOTE_ADDR"] = 10.249.2.2
_SERVER["HTTP_X_FORWARDED_FOR"] = (my ip address)
So it should be replaced but it is not.

Configuration:

Ubuntu 12.04 (docker image)
RPAF_ProxyIPs  10.249.0.0/16

When i try and pass the DESTDIR=/foo/bar parameter it fails with.

make install DESTDIR=/root/fpm/tmp/mod_rpaf
./apxs.sh -c -n mod_rpaf.so mod_rpaf.c
/usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic   -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/local/include  -I/usr/include/apr-1   -I/usr/include/apr-1   -c -o mod_rpaf.lo mod_rpaf.c && touch mod_rpaf.slo
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -o mod_rpaf.la  -rpath /usr/local/libexec -module -avoid-version    mod_rpaf.lo
./apxs.sh -i -S LIBEXECDIR=/root/fpm/tmp/mod_rpaf$(./apxs.sh -q LIBEXECDIR)/ -n mod_rpaf.so mod_rpaf.la
/usr/local/httpd/build/instdso.sh SH_LIBTOOL='/usr/lib64/apr-1/build/libtool' mod_rpaf.la /root/fpm/tmp/mod_rpaf/usr/local/libexec/
/usr/lib64/apr-1/build/libtool --mode=install cp mod_rpaf.la /root/fpm/tmp/mod_rpaf/usr/local/libexec//
libtool: install: cp .libs/mod_rpaf.so /root/fpm/tmp/mod_rpaf/usr/local/libexec/mod_rpaf.so
cp: cannot create regular file `/root/fpm/tmp/mod_rpaf/usr/local/libexec/mod_rpaf.so': No such file or directory
apxs:Error: Command failed with rc=65536
.
make: *** [install] Error 1

As you can see it puts a // here /usr/lib64/apr-1/build/libtool --mode=install cp mod_rpaf.la /root/fpm/tmp/mod_rpaf/usr/local/libexec//

In the Makefile changing install to:

$(APXS) -i -S LIBEXECDIR=$(DESTDIR)$$($(APXS) -q LIBEXECDIR) -n mod_rpaf.so mod_rpaf.la

drops the extra / but still fails to install to my DESTDIR.

make install DESTDIR=/root/fpm/tmp/mod_rpaf
./apxs.sh -c -n mod_rpaf.so mod_rpaf.c
/usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic   -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/local/include  -I/usr/include/apr-1   -I/usr/include/apr-1   -c -o mod_rpaf.lo mod_rpaf.c && touch mod_rpaf.slo
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -o mod_rpaf.la  -rpath /usr/local/libexec -module -avoid-version    mod_rpaf.lo
./apxs.sh -i -S LIBEXECDIR=/root/fpm/tmp/mod_rpaf$(./apxs.sh -q LIBEXECDIR) -n mod_rpaf.so mod_rpaf.la
/usr/local/httpd/build/instdso.sh SH_LIBTOOL='/usr/lib64/apr-1/build/libtool' mod_rpaf.la /root/fpm/tmp/mod_rpaf/usr/local/libexec
/usr/lib64/apr-1/build/libtool --mode=install cp mod_rpaf.la /root/fpm/tmp/mod_rpaf/usr/local/libexec/
libtool: install: cp .libs/mod_rpaf.so /root/fpm/tmp/mod_rpaf/usr/local/mod_rpaf.so
cp: cannot create regular file `/root/fpm/tmp/mod_rpaf/usr/local/mod_rpaf.so': No such file or directory
apxs:Error: Command failed with rc=65536
.
make: *** [install] Error 1

Now if I change the install line to:

$(APXS) -i -S LIBEXECDIR=$(DESTDIR)$($(APXS) -q LIBEXECDIR) -n mod_rpaf.so mod_rpaf.la

The install seems to complete to the DESTDIR

make install DESTDIR=/root/fpm/tmp/mod_rpaf
./apxs.sh -c -n mod_rpaf.so mod_rpaf.c
/usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic   -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/local/include  -I/usr/include/apr-1   -I/usr/include/apr-1   -c -o mod_rpaf.lo mod_rpaf.c && touch mod_rpaf.slo
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -o mod_rpaf.la  -rpath /usr/local/libexec -module -avoid-version    mod_rpaf.lo
./apxs.sh -i -S LIBEXECDIR=/root/fpm/tmp/mod_rpaf -n mod_rpaf.so mod_rpaf.la
/usr/local/httpd/build/instdso.sh SH_LIBTOOL='/usr/lib64/apr-1/build/libtool' mod_rpaf.la /root/fpm/tmp/mod_rpaf
/usr/lib64/apr-1/build/libtool --mode=install cp mod_rpaf.la /root/fpm/tmp/mod_rpaf/
libtool: install: cp .libs/mod_rpaf.so /root/fpm/tmp/mod_rpaf/mod_rpaf.so
libtool: install: cp .libs/mod_rpaf.lai /root/fpm/tmp/mod_rpaf/mod_rpaf.la
libtool: install: cp .libs/mod_rpaf.a /root/fpm/tmp/mod_rpaf/mod_rpaf.a
libtool: install: chmod 644 /root/fpm/tmp/mod_rpaf/mod_rpaf.a
libtool: install: ranlib /root/fpm/tmp/mod_rpaf/mod_rpaf.a
libtool: install: warning: remember to run `libtool --finish /usr/local/libexec'
chmod 755 /root/fpm/tmp/mod_rpaf/mod_rpaf.so

But there is only mod_rpaf.so in there, it does not create /usr/local/libexec inside my DESTDIR. Kinda lost after this point. Thanks for any info or help getting this to work with DESTDIR as I am trying to package this.

On our production server, with mod_rpaf installed, we intermittently see requests where the port has been set to 443, even though the request has no X-Port or X-Forwarded-Port header, and reached apache via port 80.

Both the server logs and PHP's $_SERVER['SERVER_PORT']; variable show 443. It happens anywhere from 3 in 20 to 12 in 20 times.

Any advice on how to debug the issue?

we have the IP-Load-Balancing service in OVH, configurated with 2 dedicated servers as backends.
we have activated the mod_rpaf in these two backends, because we need to know the real-IP.

all run fine over HTTP -> the apache header X-FORWARDED-FOR comes with the real-ip Ok!
BUT this header don't exist over HTTPS

• HTTP --> https://goo.gl/LPJAK1
• HTTPS --> https://goo.gl/yIzP4C

What can we do to solve this problem?

Thanks.
Rafa.

On my system I have my apxs2 file located here: /usr/local/apache2/bin/apxs2

The apxs.sh file does not take this into account and properly locate apxs2, thus my build fails. There also doesn't appear to be a way to specify this during build time.

After an upgrade from 0.6 to 0.8.4, the IP address is no longer correctly defined in the Apache access logs but is still correct in ErrorLog file and the server-status page: the IP address of the proxy is shown in the access logs, instead.

I'm running Debian/jessie with Apache 2.4.10-10 and can reproduce the issue on two distinct machines, both running the same environment.

mod_rpaf configuration:

<IfModule rpaf_module>
    RPAF_Enable On
    RPAF_ProxyIPs 127.0.0.1 ::1
</IfModule>

Apache logs configuration:

ErrorLog ${APACHE_LOG_DIR}/error.log
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined

Logs extract (10.10.0.254 is the client IP address and 127.0.0.1 is the proxy):

==> /var/log/apache2/webfinance.jessie.cyb.isvtec.com-error.log <==
[Thu Jun 04 14:39:50.587886 2015] [authz_core:error] [pid 24932] [client 10.10.0.254:48088] AH01630: client denied by server configuration: /home/cyb/Dropbox/Code/webfinance/htdocs/favicon.ico

==> /var/log/apache2/webfinance.jessie.cyb.isvtec.com-access.log <==
webfinance.jessie.cyb.isvtec.com:80 127.0.0.1 - - [04/Jun/2015:14:39:50 +0200] "GET /favicon.ico HTTP/1.1" 403 498 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36"

server-status page:

# w3m http://localhost/server-status | grep fav
0-0 24929 0/3/ _ 0.01 406 0   0.0  0.00  0.00 10.10.0.254 webfinance.jessie.cyb.isvtec.co GET /favicon.ico HTTP/1.1

i'm using this on ubuntu-12.04 and it seems to fail on CIDR notation, since it's not working with

RPAFproxy_ips 10.10.0.0/16

but

RPAFproxy_ips 10.10.1.1 10.10.2.2

after install mod_rpaf and restart httpd show this error.

Stopping httpd: [ OK ]
Starting httpd: httpd: Syntax error on line 230 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/mod_rpaf.conf: Cannot load /etc/httpd/modules/mod_rpaf.so into server: /etc/httpd/modules/mod_rpaf.so: undefined symbol: ap_log_rerror_

just a reminder

On 28/12/12 01:33, Sergey B Kirpichev wrote:
>  Geoffrey, would you like to drop debian/ directory from you tarball
>  (you can use e.g. debian branch to keep these files)?

Yes, I can and will do this next free chance I get.

-Geoff

apache2 on ubuntu 18.04 does not accept 'RPAF_SetHTTPS' or 'RPAF_SetPORT'

My webserver is behind 3 proxy servers. If I run phpinfo() on Apache server _SERVER["HTTP_X_FORWARDED_FOR"] header has 4 IP values. The first one is the visitor's IP, the other three are proxies IPs.

If I set up RPAF_ProxyIPs for those 3 proxies IPs will eliminate them from X-Forwarded-For header leaving only visitor's IP, or will eliminate only the last IP? I installed mod_rpaf Debian package and it is not working for multiple IPs only for two. I read articles about some modifications inside mod_rpaf.c file for dealing with a chain of IPs. Is your default file able to deal with this?

Thank you.

Examples:

1. If you request http on a https port, this results in an error 400 (Bad Request). The IP shown in the access_log is not modified by rpaf:

$ curl -k -v -H'X-Forwarded-For: 10.10.10.10' http://localhost:443/
127.0.0.1 - - [29/Sep/2017:10:28:31 +0200] "GET / HTTP/1.0" 400 ..

2. If you use mod_php and request /exception.php which contains <?php throw new Exception("test");, then the IP in the access_log is modified by rpaf, the IP in the error_log is not:

$ curl -k -v -H'X-Forwarded-For: 10.10.10.10' https://localhost:443/exception.php
10.10.10.10 - - [29/Sep/2017:10:27:21 +0200] "GET /exception.php HTTP/1.1" 500
[Fri Sep 29 10:27:21.257548 2017] [-:error] [pid 21:tid -] [client 127.0.0.1:52788] PHP Fatal error:  Uncaught exception 'Exception' with message 'test' ..

If i accessing page directly on 80 port with plain http it still show SERVER_PORT=443 and REQUEST_SCHEME=https
Used config:
RPAF_Enable On
RPAF_ProxyIPs 127.0.0.1
RPAF_Header X-Forwarded-For
RPAF_SetHostName Off
RPAF_SetHTTPS On
RPAF_SetPort On
To reproduce just access first page via proxy and then access directly a few times (suppose corruption occurs in httpd processes).

RPAF_SetHTTPS and RPAF_SetPort is very usefull feature, because only it allow securely determine https proto. With mod_remoteip this is not possible, because any other can set headers.
Also i tried with remoteip set https=on based on server_addr=127.0.0.1 with setenvif, but in that case in .htaccess in if condition both these vars not visible and not usable.

We're using mod_rpaf behind a Pound proxy. When updating from 0.8.2 to 0.8.4-rc1 we observed that requests from IPv6 client IPs weren't treated by mod_rpaf while IPv4 clients are still treated correctly.

Pound is running on our host "kaus.uberspace.de", listening to "::" (all IPv4 and IPv6 addresses), both on ports 80 and 443. It is configured to use 185.26.156.16 port 81 as its backend which is an Apache running with mod_rpaf. This is the mod_rpaf configuration on that host:

RPAF_Enable             On
RPAF_ProxyIPs           185.26.156.16
RPAF_Header             X-Forwarded-For
RPAF_SetHostName        On
RPAF_SetHTTPS           On
RPAF_SetPort            On

At https://phpinfo.kaus.uberspace.de/ a phpinfo() page is set up to show environment variables. Calling the URL by IPv4 (from 185.26.156.4 as the client) everything works as expected; the X-Forwarded-For address is correctly put into REMOTE_ADDR, SERVER_PORT is correctly set to port 443, and so on:

$ curl -4 -s https://phpinfo.kaus.uberspace.de/ | grep -E "(REMOTE_ADDR|FORWARDED|PORT)"
<tr><td class="e">_SERVER["REMOTE_PORT"]</td><td class="v">39429</td></tr>
<tr><td class="e">_SERVER["REMOTE_ADDR"]</td><td class="v">185.26.156.4</td></tr>
<tr><td class="e">_SERVER["SERVER_PORT"]</td><td class="v">443</td></tr>
<tr><td class="e">_SERVER["HTTP_X_FORWARDED_FOR"]</td><td class="v">185.26.156.4</td></tr>
<tr><td class="e">_SERVER["HTTP_X_FORWARDED_PORT"]</td><td class="v">443</td></tr>
<tr><td class="e">_SERVER["HTTP_X_FORWARDED_HTTPS"]</td><td class="v">on</td></tr>

With an IPv6 client (2a00:d0c0:200::4 in this case) however there's an unexpected result: You can still see the IP address of the Pound proxy (185.26.156.16) as REMOTE_ADDR, but as this is the configured RPAF_ProxyIPs mod_rpaf should have transferred the X-Forwarded-For-IP into REMOTE_ADDR. Additionally you can see that SERVER_PORT is still set to port 80, while the rest of the output clearly shows that HTTPS port 443 was in use:

$ curl -6 -s https://phpinfo.kaus.uberspace.de/ | grep -E "(REMOTE_ADDR|FORWARDED|PORT)"
<tr><td class="e">_SERVER["REMOTE_PORT"]</td><td class="v">39470</td></tr>
<tr><td class="e">_SERVER["REMOTE_ADDR"]</td><td class="v">185.26.156.16</td></tr>
<tr><td class="e">_SERVER["SERVER_PORT"]</td><td class="v">80</td></tr>
<tr><td class="e">_SERVER["HTTP_X_FORWARDED_FOR"]</td><td class="v">2a00:d0c0:200::4</td></tr>
<tr><td class="e">_SERVER["HTTP_X_FORWARDED_PORT"]</td><td class="v">443</td></tr>
<tr><td class="e">_SERVER["HTTP_X_FORWARDED_HTTPS"]</td><td class="v">on</td></tr>

I don't have a clue why that happens because the connection between Pound and Apache is always based on IPv4, independent on the connection from the browser client to Pound which might be either IPv4 or IPv6, so mod_rpaf always gets its connection by IPv4 from 185.26.156.16.

Downgrading mod_rpaf to v0.8.2 without touching the configuration is currently a functional workaround, but I'm pretty sure the new behaviour isn't intended.

Currently using the "stable" tree we were facing the problem that only the first request has the real client IP correctly transferred into REMOTE_ADDR when using KeepAlive. Further requests received the unchanged proxy IP, until the KeepAlive timeout value has been reached.

After stumbling upon Issue #35 we changed from "stable" to the current "master" tree, which effectively fixed the problem - but, amazingly, only for IPv4 addresses: IPv6 addresses still only got correctly set on every first request ever or after reaching the KeepAlive timeout. We're testing with the following PHP script:

<?php
echo $_SERVER['REMOTE_ADDR'];
echo "<br>";
echo $_SERVER['HTTP_X_FORWARDED_FOR'];
?>

Result on the first request is (correctly):

2001:470:1f0b:c02:888e:911b:c753:38a0
2001:470:1f0b:c02:888e:911b:c753:38a0

Result on every next request within the KeepAlive timeout results in (185.26.156.43 is the proxy IP listed as RPAF_ProxyIPs):

185.26.156.43
2001:470:1f0b:c02:888e:911b:c753:38a0

As a workaround we're currently having to turn off KeepAlive; in this case mod_rpaf provides correct results for both IPv4 and IPv6. Is there any chance to fix this?

I am using HAProxy as frontend gateway.
In my setting: All IPv6 and IPv4 will use IPv4 connect between frontend(HAProxy 1.5) and backend(apache 2.2)

When client using IPv4 to connect, everything is ok.

However, when client using IPv6 to connect, sometime it will show 502.
In the log file I found out that if client's IPv6 is longer than a number(i'm not sure the length), apache will display as follow:

[notice] child pid 85407 exit signal Segmentation fault (11)

When i change HAProxy config to use IPv6 connect between frontend and backend, everything is fine.

Sorry about my poor English and poor information. this is my first time submitting issue.
If you need more information, please tell me what information you need.

Thanks.

Hi ;
When setting RPAF_SetPort On , apache always sets port to 443, even if you're requesting directly apache on port 80 with HTTP, and no headers added, from an IP which isn't in RPAF_ProxyIPs.
this is very confusing for PHP apps, as they rely on different informations to guess if you're coming in HTTP or HTTPS.

Hello , I am a module developer of Apache . As some history problems, I need to fetch the origin data of "X-Forwarded-For" .

While strsep polluted the fwdvalue

Before 
fwdvalue = "1.1.2.2,3.4.4.4,5.6.6.6"
After 
fwdvalue = "1.1.2.2"

@gnif

$ httpd -v
Server version: Apache/2.2.32 (Unix)
Server built:   Jun 21 2017 19:11:57

$ uname -a
Linux test-www.mysite.local 4.9.43-17.38.amzn1.x86_64 #1 SMP Thu Aug 17 00:20:39 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Using mod_rpaf latest stable from git as of today, self-compiled, nothing fancy otherwise.

Quick summary:

Installed mod_rpaf about a week ago. Created a simple test.php file that printed out the remote address to test. I am running behind Amazon ELBs. Note that it turns out the access logs were mirroring the same values in the php script -- so it's nothing specific to php.

LoadModule rpaf_module modules/mod_rpaf.so
RPAF_Enable             On
RPAF_ProxyIPs           10.0.0.0/16
RPAF_SetHostName        On
RPAF_SetHTTPS           On
RPAF_SetPort            On
RPAF_ForbidIfNotProxy   Off

At the time I misunderstood the actual meaning of RPAF_SetHostName. I loaded the page with HTTP + HTTPS and both quick tests showed what I desired -- REMOTE_ADDR being set, HTTPS being set, etc.

Long story short, after some complaints of things being broken, it turns out that when using this with SSL, (i.e. X-Forwarded-Proto + X-Forwarded-Port being set by upstream) for some weird reason the remote address was only being set on the first request of keep-alive.

I verified this by turning off Keepalive entirely, and it no longer exhibited the behaviour. Turning keepalive back on, -- the first request of the keepalive session would have the appropriate values overridden, and subsequent requests would go back to the upstream values.

I turned mod_ssl off entirely (completely removed the LoadModule line) after reading the warning, still same thing.

Luckily, we don't need SetHostName, so turning it to Off fixes this behaviour and allows the use of KeepAlive, but it is just strange. Perhaps something to do with our older version of Apache? Can provide more details if necessary.

Hello again,

I have recently upgraded from OpenSUSE 42.1 to 42.3, with which came a few changes to the software, namely Apache 2.4.16 -> 2.4.29 (but same issue happens with 2.4.23). mod_rpaf seems to be roughly the same - mod_rpaf-0.8.4~rc3. As far as I can tell, mod_status is part of Apache.

Before the upgrade, mod_rpaf was showing the right IPs in mod_status (server_name/server-status). After the upgrade, all I'm seeing is 127.0.0.1.

Here are 2 screenshots showing the differences. I checked the module loading order, and it seems to be the same - rpaf is listed first. What could be causing this?

Thank you.

When requesting http://domain1.dev/domain2/test.html with the following configuration:

<VirtualHost *:80>
ServerName domain1.dev
RewriteEngine On
RewriteRule /domain2/(.*) http://domain2.dev/$1 [P]
</VirtualHost>

One would expect to get content of http://domain2.dev/test.html, but this would not work when rpaf is enabled and RPAF_SetHostName set to On. You would get http://domain1.dev/test.html - it seems like RPAF replaces the Host header from domain2.dev to domain1.dev in the proxied request.

Both domain1.dev and domain2.dev resolve to the same IP address.

Hi,

I have the following setup:
OpenSUSE 42.1 with rpaf 0.8.4~rc3 (installed via package manager, so it's slightly out of date - curious if this was potentially fixed in newer releases).
CloudFlare -> nginx:80 -> apache:8080.

In this scenario, when I access something on the server, %h is the CloudFlare server's IP, but both %a and %{X-Forwarded-For}i are the real client IP. So this works.

But if I access the server on port 8080, meaning Cloudflare -> apache:8080, a really weird thing happens. %h and %a both end up with CF's IPs, but %{X-Forwarded-For}i shows the correct client IP, even though that's what RPAF was supposed to be grabbing the value from and stuffing it into %a.

Log format (for testing):
LogFormat "Whost:%{Host}i Rhost:%h Rhost2:%a X-F-F:%{X-Forwarded-For}i %l %u Time:%t \ Req:\"%r\" Status:%>s Size:%b Ref:\"%{Referer}i\" UA:\"%{User-Agent}i\"" proxy

Sample log lines:
Whost:HOST_HERE Rhost:127.0.0.1 Rhost2:69.181.XX.XX(MY_REAL_CLIENT_IP) X-F-F:69.181.XX.XX(MY_REAL_CLIENT_IP) - - Time:[03/Jan/2017:23:32:32 -0800] Req:"GET /theheaders.php HTTP/1.0" Status:200...

Whost:HOST_HERE:8080 Rhost:162.158.255.113 Rhost2:162.158.255.113 X-F-F:69.181.XX.XX(MY_REAL_CLIENT_IP) - - Time:[03/Jan/2017:23:31:22 -0800] Req:"GET /theheaders.php HTTP/1.1" Status:200..."

Looking at this test page that just dumps all headers, I can correctly see X-Forwarded-For set my same correct client IP. The only difference I can see is when accessing apache on port 8080 directly, Connection: Keep-Alive, but when nginx 80 -> apache 8080, it's Connection: close.

Any ideas?

Please add a version number and update the CHANGES file in order to better reflect the improvements from stderr.net version.
Tnx !

We are using mod_rpaf 0.8.4 stable with Apache 2.2 on Debian Wheezy.

It updates remote IPs correctly most of the time. But when using keepalive connections it fails to do so for multiple requests using the same connection.

As you can see below in a (somewhat obfuscated) snippet of the access logs, the X-Forwarded-For header is correctly send and received as both log lines have the remote IP present "194.250.97.243".

domainname.com 194.250.97.243 - - [11/Nov/2015:11:26:22 +0100] "GET /bijlagen/19015.pdf HTTP/1.1" 206 46565 "https://domainname.com/index.php?view=aanvragen&layout=pt" "Mozilla/5.0 (Windows NT 6.0; rv:32.0) Gecko/20100101 Firefox/32.0" "-" "194.250.97.243" 194.250.97.243 pid:21224 1794 0 0 0 0
domainname.com 10.2.1.210 - - [11/Nov/2015:11:26:22 +0100] "GET /bijlagen/19015.pdf HTTP/1.1" 206 65536 "https://domainname.com/index.php?view=aanvragen&layout=pt" "Mozilla/5.0 (Windows NT 6.0; rv:32.0) Gecko/20100101 Firefox/32.0" "-" "194.250.97.243" 10.2.1.210 pid:21224 1850 4000 0 0 0

Our log format is as shown below.

"%{HOST}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{VIA}i\" \"%{X-FORWARDED-FOR}i\" %a pid:%P %D %{ACC_utime}n %{ACC_stime}n %{ACC_cutime}n %{ACC_cstime}n"

Our mod_rpaf config is below.

<IfModule rpaf_module>
        RPAF_Enable             On
        RPAF_ProxyIPs           127.0.0.1 10.0.0.0/8
        RPAF_SetHostName        On
        RPAF_SetHTTPS           On
        RPAF_SetPort            On
</IfModule>

When we force-close every connection on the HAProxy side, everything works like it should, because connections are no longer reused. But that means we cannot use keep alive.

If I need to provide more information, please let me know.

Apache sets a special "HTTPS" flag which can be used in RewriteCond statements as %{HTTPS}. The RewriteCond docs tell about it:

HTTPS
Will contain the text "on" if the connection is using SSL/TLS, or "off" otherwise. (This variable can be safely used regardless of whether or not mod_ssl is loaded).

mod_rpaf can already set the "HTTPS" environment variable which is working fine, but you have to use %{ENV:HTTPS} to access it in a RewriteCond. This is from the Apache source, modules/mappers/mod_rewrite.c:

    case  5:
        if (!strcmp(var, "HTTPS")) {
            int flag = rewrite_is_https && rewrite_is_https(r->connection);
            return apr_pstrdup(r->pool, flag ? "on" : "off");
        }
        break;

As you can see, mod_rewrite isn't looking at the HTTPS environment variable but on a special function rewrite_is_https which in turn seems to be based on a ssl_is_https function provided by mod_ssl. (Please forgive me, I'm no C programmer so this is only a very loose interpretation of the Apache source code.)

There are plenty of mod_rewrite examples in the wild which are based on %{HTTPS}. It would be really nice if mod_rpaf could "somehow" provide support for setting it. Currently %{HTTPS} provides the value 'off' while %{ENV:HTTPS} correctly provides 'on'.

if you forward proxy with a loadbalancer and use non-standard ports for the real webserver to simplify firewall design, every access to a directory without trailing slash is redirected by mod_dir to the trailing slash version WITH the port number and the access from the client fails.

# apache listen to non-standard port
Listen hair:8008

Access to this server via reverseproxy to http://www.freakout.de/fkselb would result in redirect (from mod_dir) to http://www.freakout.de:8008/fkselb/ and fail. I have a patch with a new configuration directive which sets the port to default (no port) which works fine for me in this situation:

--- mod_rpaf.c      Wed Sep  3 08:41:36 2014
+++ mod_rpaf.c      Thu Oct  9 15:53:29 2014
@@ -45,6 +45,7 @@
     int                sethttps;
     int                setport;
     const char         *headername;
+    int                setportnum;
     apr_array_header_t *proxy_ips;
     const char         *orig_scheme;
     const char         *https_scheme;
@@ -65,6 +66,7 @@
     cfg->proxy_ips = apr_array_make(p, 10, sizeof(apr_ipsubnet_t *));
     cfg->enable = 0;
     cfg->sethostname = 0;
+    cfg->setportnum = 0;
     cfg->forbid_if_not_proxy = 0;

     /* server_rec->server_scheme only available after 2.2.3 */
@@ -203,6 +205,14 @@
     return 0;
 }

 static apr_status_t rpaf_cleanup(void *data) {
     rpaf_cleanup_rec *rcr = (rpaf_cleanup_rec *)data;
     rcr->r->DEF_IP = apr_pstrdup(rcr->r->connection->pool, rcr->old_ip);
@@ -335,6 +345,13 @@
         }
     }

+    /* force the use of the default schemes port number */
+    /* mod_dir uses redirects with trailing slashes for directory access */
+    if (cfg->setportnum) {
+        r->parsed_uri.port_str = NULL;
+        r->server->port = 0;
+    }
+
     if (cfg->sethttps) {
         const char *httpsvalue, *scheme;
         if ((httpsvalue = apr_table_get(r->headers_in, "X-Forwarded-HTTPS")) ||
@@ -405,6 +422,13 @@
                  NULL,
                  RSRC_CONF,
                  "Deny access if connection not from trusted RPAF_ProxyIPs"
+                 ),
+    AP_INIT_FLAG(
+                 "RPAFsetportnum",
+                 rpaf_setportnum,
+                 NULL,
+                 RSRC_CONF,
+                 "Let mod_rpaf set the port number to default for mod_dir redirects"
                  ),
     AP_INIT_ITERATE(
                  "RPAF_ProxyIPs",

I would like to see this in an upcoming release. Thanks for mod_rpaf.

So for example here is a XFF header:

64.134.184.93, 10.148.207.91, 63.148.207.152, 209.48.37.167

We'd want 64.134.184.93 but mod_rpaf is putting 209.48.37.167 in log

I saw the 0.8.4/0.8.5-rc1 archive, but does not include rpaf.conf.

Yada is no longer available since Ubuntu 12.04 (Precise Pangolin):
http://packages.ubuntu.com/search?keywords=yada&searchon=names&suite=all&section=all

How can I install this version of mod_rpaf without yada available on the system?

If anyone's still looking for my reimplementation of this, it's at apache/httpd#191
2.4.48 allowed to re-integrate this without any hacks inside, and I already run it for several months at loaded hosting servers so it should not contain any flaws too major (although no guarantees as usual)

I am currently setting up a nginx proxy for apache2 in digital ocean. I am not really a System Admin but I followed this tutorial https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-web-server-and-reverse-proxy-for-apache-on-one-ubuntu-14-04-droplet. He said that "The REMOTE_ADDR variable will now also be that of your local computer's public IP address",

Here is my rpaf.conf

<IfModule mod_rpaf.c>
        RPAF_Enable             On
        RPAF_Header             X-Real-Ip
        RPAF_ProxyIPs           127.0.0.1 10.0.0.0/24
        RPAF_SetHostName        On
        RPAF_SetHTTPS           On
        RPAF_SetPort            On
</IfModule>

However, It's the server IP address showing on REMOTE_ADDR. Is this OK?