b***@apache.org
2017-12-13 12:19:40 UTC
https://bz.apache.org/bugzilla/show_bug.cgi?id=61896
Bug ID: 61896
Summary: CONN_REMOTE_ADDR not exposed to php scripts
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_remoteip
Assignee: ***@httpd.apache.org
Reporter: ***@thelounge.net
Target Milestone: ---
mod_rewrite supports for years now REMOTE_ADDR *and* CONN_REMOTE_ADDR, see
samle below, mod_remoteip don't give you any information within a PHP script
about the physical connecting IP
this can be crucial when your reverse-proxy adds headers which you can use in
your application to make decisions because you should verify the source-ip to
make sure that header is trustable
the setup below has one big goal: decide via DNS if a website goes directly to
httpd or for high traffic pages over the reverse-proxy which in this case would
do TLS-offloading and sim,ilar decisions can happen within the application - or
better said it should be posible to do so
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{CONN_REMOTE_ADDR} !^192\.168\.196\.2
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
Bug ID: 61896
Summary: CONN_REMOTE_ADDR not exposed to php scripts
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_remoteip
Assignee: ***@httpd.apache.org
Reporter: ***@thelounge.net
Target Milestone: ---
mod_rewrite supports for years now REMOTE_ADDR *and* CONN_REMOTE_ADDR, see
samle below, mod_remoteip don't give you any information within a PHP script
about the physical connecting IP
this can be crucial when your reverse-proxy adds headers which you can use in
your application to make decisions because you should verify the source-ip to
make sure that header is trustable
the setup below has one big goal: decide via DNS if a website goes directly to
httpd or for high traffic pages over the reverse-proxy which in this case would
do TLS-offloading and sim,ilar decisions can happen within the application - or
better said it should be posible to do so
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{CONN_REMOTE_ADDR} !^192\.168\.196\.2
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org