[Catalyst] catalyst psgi behind 2 apache reverse proxies

Bernhard Bauch bauch at zsi.at
Fri Jul 10 13:23:10 GMT 2015

Yess great !
using apachemod remote IP and

>    RemoteIPHeader X-Forwarded-For
>    RemoteIPInternalProxy
on the 2nd proxy helped!

what also helped telling the second apache not to thought the headers with:
	ProxyAddHeaders Off
(apache: Available in version 2.3.10 and later)

thanks for help:)
cheers, bernhard

On 09 Jul 2015, at 05:04, Aristotle Pagaltzis <pagaltzis at gmx.de> wrote:

> * Bernhard Bauch <bauch at zsi.at> [2015-07-08 16:50]:
>> suroundings: catalyst, psgi, starman, apache2.
>> but in our setup there are *two* apache2s doing reverse proxies before
>> the requests reaches the starman server.
>> so what happend:
>> the http headers look like this (for catalyst)
>> 	X-FORWARDED-FOR: <clients-ip>, <proxy2-ip>
>> 	REQUEST_IP_ADDRESS: <proxy2-ip>
>> what Plack::Middleware::ReverseProxy does it puts the LAST ip in the
>> forwarded-for header into
>> 	$env->{REMOTE_ADDR}
>> which is actually not the IP of the client.
>> why is that happening ?
> Because any other IPs could be untrustworthy. The client could include
> an X-Forwarded-For header with bogus content, or there could be a proxy
> legimitately sitting between you and the ultimate client (e.g. a caching
> proxy run by the user’s ISP)… there are many scenarios.
>> shouldn't it take the first IP, so catalyst has access to the original
>> requests IP ?
> Absolutely not. It cannot know whether that IP is trustworthy.
>> my apache proxy configs look like this...
>> is there something wrong with the proxies config  ?
> IMO, yes.
> I think the correct solution here is to encode into your deployment
> infrastructure the knowledge that a) there are two proxies and b) that
> they are both trusted.
> Using the ReverseProxy means you have already told the app that the
> app-facing proxy exists and is trusted.
> But also telling it that the world-facing proxy exists and is trusted
> would IMO put too much knowledge about your specific infrastructure
> layout in the app.
> Instead you should tell the app-facing proxy that the world-facing
> proxy is trusted. That way the different parts of your infrastructure
> are more self-contained and independent.
> Unfortunately I don’t speak Apache very well any more but I *think* what
> you want is to load mod_remoteip on proxy 2 and then add something like
>    RemoteIPHeader X-Forwarded-For
>    RemoteIPInternalProxy
> to its config.
> Or maybe you have to configure the proxy 2 to just leave X-Forwarded-For
> alone (which implicitly means it trusts whatever proxy 1 has put there).
> (No idea if that’s possible or how.)
> I can’t say what exactly will work but something along these lines would
> be my approach.
>> thanks for hints!
>> cheers, bernhard
> Hope this helps.
> Regards,
> --
> Aristotle Pagaltzis // <http://plasmasturm.org/>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
> !DSPAM:559de510153869509620312!

Bernhard Bauch

ZSI-Zentrum für Soziale Innovation GmbH
Centre for Social Innovation

Linke Wienzeile 246, A-1150 Wien, Austria
Mail: bauch at zsi.at
Skype: berni-zsi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.scsys.co.uk/pipermail/catalyst/attachments/20150710/3c74351e/attachment.pgp>

More information about the Catalyst mailing list