mod_rpaf no longer resolves the right IPs for mod_status?
archon810 opened this issue ยท 10 comments
Hello again,
I have recently upgraded from OpenSUSE 42.1 to 42.3, with which came a few changes to the software, namely Apache 2.4.16 -> 2.4.29 (but same issue happens with 2.4.23). mod_rpaf seems to be roughly the same - mod_rpaf-0.8.4~rc3. As far as I can tell, mod_status is part of Apache.
Before the upgrade, mod_rpaf was showing the right IPs in mod_status (server_name/server-status). After the upgrade, all I'm seeing is 127.0.0.1.
Here are 2 screenshots showing the differences. I checked the module loading order, and it seems to be the same - rpaf is listed first. What could be causing this?
Thank you.
Please share your mod_rpaf configuraiton.
@gnif The configuration is based on #47 (comment).
Here it is:
# Enable setting of IPs if behind a proxy.
# Accept local and Cloudflare IPs.
<IfModule mod_rpaf.c>
RPAF_Enable On
RPAF_SetHostName On
RPAF_ProxyIPs 127.0.0.1 ::1 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 199.27.128.0/21 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2c0f:f248::/32 2a06:98c0::/29
RPAF_Header X-Forwarded-For
</IfModule>
The correct IP shows up in apache logs, so I know mod_rpaf is working there. The logs use this mod_log_config definition:
LogFormat "%{REQUEST_SCHEME}x://%{Host}i %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{CF-Ray}i" proxy
I have a similar issue on FreeBSD a recent upgrade broke my set-up. I used to have the mod enabled in the httpd.conf file then I had a .conf file in the Includes folder with the following lines: RPAFenable On\nRPAFproxyips 10.0.0.10
I realized the upgrade created a file in modules.d named 200_mod_rpaf.conf I renamed this file to 200_mod_rpaf.conf.bak and reconfigured my original .conf file. It now looks like the following:
<IfModule mod_rpaf.c>
# Enable reverse proxy add forward
RPAF_Enable On
# What IPs & bitmasked subnets to adjust requests for
RPAF_Header X-Real-Ip
RPAF_ProxyIPs 127.0.0.1 10.0.0.0/24
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
</IfModule>
The problem is that the access log, logs the local ip 10.0.0.10 but, if I send a message through a Wordpress form it passes the clients public IP.
I am using the default Log format:
LogFormat "%h %l %u %t "%r" %>s %b" common
Can you help me diagnose this problem?
What changed? or is it that my new config file is not the same as before?
Please advise,
@archon810 Try this patch
--- mod_rpaf.orig/mod_rpaf.c 2018-04-03 19:29:59.177354125 +0300
+++ mod_rpaf-1gb/mod_rpaf.c 2018-04-03 19:29:36.416814029 +0300
@@ -319,7 +319,11 @@
apr_sockaddr_t *tmpsa;
int ret = apr_sockaddr_info_get(&tmpsa, r->DEF_IP, APR_UNSPEC, tmpport, 0, tmppool);
if (ret == APR_SUCCESS)
- memcpy(r->DEF_ADDR, tmpsa, sizeof(apr_sockaddr_t));
+ #if AP_SERVER_MAJORVERSION_NUMBER >= 2 && AP_SERVER_MINORVERSION_NUMBER >= 4
+ r->DEF_ADDR = tmpsa;
+ #else
+ memcpy(r->DEF_ADDR, tmpsa, sizeof(apr_sockaddr_t));
+ #endif
if (cfg->sethostname) {
const char *hostvalue;
if ((hostvalue = apr_table_get(r->headers_in, "X-Forwarded-Host")) ||
@renton- Thanks for the patch, but I only use the repo-supplied (OpenSUSE) modules and apache, so I can't test this.
@renton this will have unintended side effects, when tmppool is destroyed the pointer you are assigning to DEF_ADDR will be freed and Apache will be left trying to access now invalid memory.
Hmm trying to figure out how to properly fix this and I'm a bit confused. I presume that the tmppool
will be present for the life time of the request? If that's the case I don't think this is an issue.
Another way is to use the request's r->pool to guarantee that r->DEF_ADDR will be freed
when the request_rec pool is destroyed?
@gnif Any suggestions?
I am sorry @ironsteel I no longer have any production servers running this module nor the time anymore to maintain it. I do highly suggest you see if mod_realip can suit your requirements and if not, perhaps ask the developers for the features you require.
you should probably add a "not for production use" disclaimer.
The module seems to be called mod_remoteip http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html, and I've successfully migrated to it for my purposes. Now apache status shows the correct IPs again, so I'm going to remove mod_rpaf from my module list.
Thanks @gnif for the tip.