How Install Module?
Closed this issue · 18 comments
Hi,
I installed your module in an apache2 ubuntu 14.04.
But for me don't work.
I wrote in my apache.conf the global directive:
Global
<IfModule mod_myfixip.c>
RewriteIPResetHeader off
RewriteIPAllow 192.168.0.0/16 127.0.0.1
</IfModule>
And in my virtual host:
VirtualHost
<VirtualHost *:443>
<IfModule mod_myfixip.c>
RewriteIPResetHeader on
</IfModule>
</VirtualHost>
But when I call an https page with browser the page go in timeout.
I don't find error in my logs.
Hi @fabioce,
best is to say something more about the environment /usage (modules like mod_spdy activated ?).
And you can recompile the module with uncommenting line 136: //#define DEBUG so you have diagnostig logging in central error log to see what happens ( so I do for apache22-module some months ago ;))
Hi,
how I can understand if you module is enabled?
I find your module here:
ls /usr/lib/apache2/modules/
mod_myfixip.so
but I don' find your module here:
/etc/apache2/mods-enabled/
How I can enable it?
I tryed with:
sudo a2enmod mod_myfixip
sudo a2enmod myfixip
but a2enmod don't find your module.
Hello,
its not from me - I made setup with it only for Apache 2.2. some months ago ^^
if you call a2enmod without module name the script would offer you all possible modules.
I think "make install" would copy also the loader/config file to /etc/apache2/mods-available ?
If not you should copy these files to it and then you can use a2enmod for it.
Hello,
where I can find the loader/config file?
I tryed this line in apache:
LoadModule mod_myfixip /usr/lib/apache2/modules/mod_myfixip.so
but it say me:
Can't locate API module structure `mod_myfixip' in file /usr/lib/apache2/modules/mod_myfixip.so
Well, first:
apxs2 -c -i mod_myfixip.cAfter:
### /etc/apache2/mods-available/myfixip.load
LoadModule myfixip_module /usr/lib/apache2/modules/mod_myfixip.so### /etc/apache2/mods-available/myfixip.conf
<IfModule mod_myfixip.c>
RewriteIPResetHeader off
RewriteIPAllow 192.168.0.0/16 127.0.0.1
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noetAnd finally:
a2enmod myfixip
service apache2 restartWell thanks.
Now I see the module enabled.
But I'm working with AWS ELB with proxy policy activated to the 443 port.
If I don't use the proxy policy and I don't use your module, but only create a listener in ELB
with TCP 443 -> TCP 443,
I can see my pages in
HTTP with HTTP_X_FORWARDED_FOR the address of my browser
in
HTTPS I retrieve only the REMOTE_ADDR with private ip of the balancer.
When I enable your module, I obtain in
HTTP the same HTTP_X_FORWARDED_FOR address
but in
HTTPS I obtain in REMOTE_ADDR the same address of my browser, perfect.
Do you think is all right now?
The X_Forwarded_for must be undefined in https?
Thanks very much, you are a person very available
yes, X-Forwarded-FOR must not be used for TCP_PROXY because you get the real TCP connection handled over - with additional tunnel informations before the origin data.
In compare to nginx setup you found already in https://gist.github.com/pablitoc/91c40d820f207879969c this module handles the tunnel informations automatically to set them as original ones.
The big question is here what IP range/IPs your ELB have in real. Normally AWS uses 172.31.0.0/16 and not 192.168.0.0/16 ;)
You can check it - there must be regulary http checks found in your logs created by the ELB - several also with 400 error generating.
You should set IP range because AWS changes from time to time the public/internal IP addresses of ELBs (horror, but cannot be changed, e.g. point 7 in http://harish11g.blogspot.de/2012/07/aws-elastic-load-balancing-elb-amazon.html).
I'm setting the RewriteIPAllow with the range of my VPC
What do you think if I write the directive:
RewriteIPResetHeader on
in the global settings whilst in every virtualhost?
I think the RewriteIPResetHeader must be always off as ggrandes wrote above.
Because you didn't use the X-Forwarded-For header but proxy_tcp tunnel which gets it information in the TCP packet header itself.
but here:
https://github.com/ggrandes/apache24-modules/blob/master/mod_myfixip.c
in the usage is written:
VirtualHost
<VirtualHost *:443>
<IfModule mod_myfixip.c>
RewriteIPResetHeader on
</IfModule>
</VirtualHost>
yes but origin use case of this module was to used behind http proxy but not tcp_proxy.
Best is you test it out if it works/which configuration parameter works and which not. ;)
My objective is to use one ELB with a few of websites, everyone with a differente ssl certificate.
ELB can mount only one certificate, but I can mount many certificates in the various virtual hosts.
So I thinked to use ELB with TCP 443 and proxy protocol to have source values (client IP).
Do you think I need another configuration?
Thanks
no that would work as you expect...
I tried it with apache22-modules and googles spdy module. The multi ssl variant would work also fine.
It's only a short try out phase you need - perhaps you should temporary also activate the debugging (again) so you can see how the module is working/recognizing the incoming requests.
Hi,
I activated the debug mode, but onestly I don't understand if the flow is good :)
But I noticed that I have these 3 lines in the FIRST virtual-host error-log:
[Tue Sep 22 18:25:11.082021 2015] [ssl:info] [pid 28918] [client 10.0.0.102:61449] AH01964: Connection to child 3 established (server www.example.it:443)
[Tue Sep 22 18:25:11.163689 2015] [ssl:info] pid 28918End of file found: [client 10.0.0.102:61449] AH01991: SSL input filter read failed.
[Tue Sep 22 18:25:11.237189 2015] [ssl:info] [pid 28919] [client 10.0.0.102:61450] AH01964: Connection to child 4 established (server www.example.it:443)
Every time I request an HTTPS page of every sites.
I verified lines logged in the correct apache-ssl-access-log I request, with the correct page I request, but the three lines up reported are written every time for every https pages.
www.example.it is the first virtualhost
What do you think?
Hi,
I activate the module and configure the file in /etc/httpd/conf.d/myfixip.conf, but when I activate proxy protocol at ELB my browser display this error:
Bad Request
Your browser sent a request that this server could not understand.
Request header field is missing ':' separator.
What's my problem?
Hello,
Can anyone help me?
Sorry, difficult to say something for me - especially I have to use actually Nginx which has it's own spdy/http2 module.
I think best is to check the communication on server port to see what happens between client and server:
- on server side:
- tcpdump
- tshark
-* also very nice "ngrep"
- on client side:
- fiddler2
You can also check inital / basic OpenSSL communication, e.g. with:
➜ ~ openssl s_client -connect localhost:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:unknown state
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 2 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
---
Certificate chain
...
There must be better options for checking... ah like:
https://josephscott.org/archives/2014/12/how-to-check-a-site-for-spdy-support-with-openssl/
➜ ~ openssl s_client -connect google.com:443 -nextprotoneg ''
CONNECTED(00000003)
Protocols advertised by server: h2, h2-15, h2-14, spdy/3.1, spdy/3, http/1.1
140188255655568:error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext:s3_clnt.c:1043:
---
no peer certificate available