[Catalyst] catalyst psgi behind 2 apache reverse proxies

Aristotle Pagaltzis pagaltzis at gmx.de
Thu Jul 9 03:04:29 GMT 2015


* Bernhard Bauch <bauch at zsi.at> [2015-07-08 16:50]:
> suroundings: catalyst, psgi, starman, apache2.
> but in our setup there are *two* apache2s doing reverse proxies before
> the requests reaches the starman server.
>
> so what happend:
>
> the http headers look like this (for catalyst)
> 	X-FORWARDED-FOR: <clients-ip>, <proxy2-ip>
> 	REQUEST_IP_ADDRESS: <proxy2-ip>
>
> what Plack::Middleware::ReverseProxy does it puts the LAST ip in the
> forwarded-for header into
> 	$env->{REMOTE_ADDR}
> which is actually not the IP of the client.
> why is that happening ?

Because any other IPs could be untrustworthy. The client could include
an X-Forwarded-For header with bogus content, or there could be a proxy
legimitately sitting between you and the ultimate client (e.g. a caching
proxy run by the user’s ISP)… there are many scenarios.

> shouldn't it take the first IP, so catalyst has access to the original
> requests IP ?

Absolutely not. It cannot know whether that IP is trustworthy.

> my apache proxy configs look like this...
> is there something wrong with the proxies config  ?

IMO, yes.

I think the correct solution here is to encode into your deployment
infrastructure the knowledge that a) there are two proxies and b) that
they are both trusted.

Using the ReverseProxy means you have already told the app that the
app-facing proxy exists and is trusted.

But also telling it that the world-facing proxy exists and is trusted
would IMO put too much knowledge about your specific infrastructure
layout in the app.

Instead you should tell the app-facing proxy that the world-facing
proxy is trusted. That way the different parts of your infrastructure
are more self-contained and independent.

Unfortunately I don’t speak Apache very well any more but I *think* what
you want is to load mod_remoteip on proxy 2 and then add something like

    RemoteIPHeader X-Forwarded-For
    RemoteIPInternalProxy 10.0.200.0/24

to its config.

Or maybe you have to configure the proxy 2 to just leave X-Forwarded-For
alone (which implicitly means it trusts whatever proxy 1 has put there).
(No idea if that’s possible or how.)

I can’t say what exactly will work but something along these lines would
be my approach.

> thanks for hints!
> cheers, bernhard

Hope this helps.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>



More information about the Catalyst mailing list