[Catalyst] catalyst psgi behind 2 apache reverse proxies
Bernhard Bauch
bauch at zsi.at
Fri Jul 10 13:23:10 GMT 2015
Yess great !
using apachemod remote IP and
> RemoteIPHeader X-Forwarded-For
> RemoteIPInternalProxy 10.0.200.0/24
on the 2nd proxy helped!
what also helped telling the second apache not to thought the headers with:
ProxyAddHeaders Off
(apache: Available in version 2.3.10 and later)
thanks for help:)
cheers, bernhard
On 09 Jul 2015, at 05:04, Aristotle Pagaltzis <pagaltzis at gmx.de> wrote:
> * Bernhard Bauch <bauch at zsi.at> [2015-07-08 16:50]:
>> suroundings: catalyst, psgi, starman, apache2.
>> but in our setup there are *two* apache2s doing reverse proxies before
>> the requests reaches the starman server.
>>
>> so what happend:
>>
>> the http headers look like this (for catalyst)
>> X-FORWARDED-FOR: <clients-ip>, <proxy2-ip>
>> REQUEST_IP_ADDRESS: <proxy2-ip>
>>
>> what Plack::Middleware::ReverseProxy does it puts the LAST ip in the
>> forwarded-for header into
>> $env->{REMOTE_ADDR}
>> which is actually not the IP of the client.
>> why is that happening ?
>
> Because any other IPs could be untrustworthy. The client could include
> an X-Forwarded-For header with bogus content, or there could be a proxy
> legimitately sitting between you and the ultimate client (e.g. a caching
> proxy run by the user’s ISP)… there are many scenarios.
>
>> shouldn't it take the first IP, so catalyst has access to the original
>> requests IP ?
>
> Absolutely not. It cannot know whether that IP is trustworthy.
>
>> my apache proxy configs look like this...
>> is there something wrong with the proxies config ?
>
> IMO, yes.
>
> I think the correct solution here is to encode into your deployment
> infrastructure the knowledge that a) there are two proxies and b) that
> they are both trusted.
>
> Using the ReverseProxy means you have already told the app that the
> app-facing proxy exists and is trusted.
>
> But also telling it that the world-facing proxy exists and is trusted
> would IMO put too much knowledge about your specific infrastructure
> layout in the app.
>
> Instead you should tell the app-facing proxy that the world-facing
> proxy is trusted. That way the different parts of your infrastructure
> are more self-contained and independent.
>
> Unfortunately I don’t speak Apache very well any more but I *think* what
> you want is to load mod_remoteip on proxy 2 and then add something like
>
> RemoteIPHeader X-Forwarded-For
> RemoteIPInternalProxy 10.0.200.0/24
>
> to its config.
>
> Or maybe you have to configure the proxy 2 to just leave X-Forwarded-For
> alone (which implicitly means it trusts whatever proxy 1 has put there).
> (No idea if that’s possible or how.)
>
> I can’t say what exactly will work but something along these lines would
> be my approach.
>
>> thanks for hints!
>> cheers, bernhard
>
> Hope this helps.
>
> Regards,
> --
> Aristotle Pagaltzis // <http://plasmasturm.org/>
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
> !DSPAM:559de510153869509620312!
>
>
—
Bernhard Bauch
Webdevelopment
ZSI-Zentrum für Soziale Innovation GmbH
Centre for Social Innovation
Linke Wienzeile 246, A-1150 Wien, Austria
Mail: bauch at zsi.at
Skype: berni-zsi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.scsys.co.uk/pipermail/catalyst/attachments/20150710/3c74351e/attachment.pgp>
More information about the Catalyst
mailing list