|
Home > Archive > Web Servers on Unix and Linux > November 2006 > Any way to change REMOTE_ADDR
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Any way to change REMOTE_ADDR
|
|
| exocrew@gmail.com 2006-11-07, 7:18 pm |
| Hello,
Here's a scenario:
Apache 1 forwards request to (via mod_proxy) apache 2... Apache 2 runs
the php script and $_SERVER['REMOTE_ADDR'] shows the ip address of the
server (i.e. apache 1).
I don't have any other solution because that's the only way it can be,
however, I am not sure if it will require core hacking to modify the
environment variable REMOTE_ADDR.
Btw, I am using mod_php5 with Apache 2.2.3. Is there any modification I
can do to modify the REMOTE_ADDR variable and replace it with
X_FORWARDED_FOR _before_ passing the REMOTE_ADDR to PHP?
I know I can do this modification in php scripts
($_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR];), but they
are in huge number so modifying it at apache level is the only
solution.
Thanks in advanced for any help..
| |
| patpro ~ patrick proniewski 2006-11-07, 7:18 pm |
| In article <1162928872.057467.69560@h54g2000cwb.googlegroups.com>,
exocrew@gmail.com wrote:
> Btw, I am using mod_php5 with Apache 2.2.3. Is there any modification I
> can do to modify the REMOTE_ADDR variable and replace it with
> X_FORWARDED_FOR _before_ passing the REMOTE_ADDR to PHP?
>
> I know I can do this modification in php scripts
> ($_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR];), but they
> are in huge number so modifying it at apache level is the only
> solution.
you could also use the auto_prepend_file directive to add a php file
before your scripts, so that REMOTE_ADDR takes the value of
HTTP_X_FORWARDED_FOR.
But frankly, I don't see a good reason to keep on using REMOTE_ADDR. You
could just search & replace REMOTE_ADDR with HTTP_X_FORWARDED_FOR in
your php code.
patpro
--
http://www.patpro.net/
| |
| exocrew@gmail.com 2006-11-08, 1:21 am |
| Hello,
Thanks for the response and auto_prepend_file has caused few
performance issues in the past but I think I will give another try. I
was thinking if anyone knows a way to hack apache source or knows of a
3rd party module to accomplish this? I am sure people might've done it.
And since there are hundreds of scripts (programs/apps) running, I
cannot modify the $_SERVER['REMOTE_ADDR'] in all those scripts that's
why I was looking for an apache hack or a 3rd party module.
Again, thanks for you help.
patpro ~ patrick proniewski wrote:
> In article <1162928872.057467.69560@h54g2000cwb.googlegroups.com>,
> exocrew@gmail.com wrote:
>
>
> you could also use the auto_prepend_file directive to add a php file
> before your scripts, so that REMOTE_ADDR takes the value of
> HTTP_X_FORWARDED_FOR.
>
> But frankly, I don't see a good reason to keep on using REMOTE_ADDR. You
> could just search & replace REMOTE_ADDR with HTTP_X_FORWARDED_FOR in
> your php code.
>
> patpro
>
> --
> http://www.patpro.net/
| |
| Randal L. Schwartz 2006-11-13, 8:40 am |
| >>>>> "exocrew" == exocrew <exocrew@gmail.com> writes:
exocrew> Apache 1 forwards request to (via mod_proxy) apache 2... Apache 2 runs
exocrew> the php script and $_SERVER['REMOTE_ADDR'] shows the ip address of the
exocrew> server (i.e. apache 1).
If you were also running mod_perl (which has access to all
phases, not like mod_php), you could run the following handler
in your PerlPostReadRequestHandler phase:
package My::PatchProxyIP;
use strict;
use Apache2::Const qw(DECLINED);
sub handler {
my $r = shift;
return DECLINED unless my $xff = $r->headers_in->{'X-Forwarded-For'};
for ($r->connection->remote_ip) {
return DECLINED unless $_ eq "127.0.0.1"; # localhost proxy
}
if ($xff =~ s/([^,\s]+)\z//) {
my $new = $1;
$r->connection->remote_ip($new);
## $r->warn("patched IP to $new for ", $r->uri);
$xff =~ s/([,\s]+)\z//;
$r->headers_in->{'X-Forwarded-For'} = $xff;
}
return DECLINED;
}
1;
via
PerlPostReadRequestHandler My::PatchProxyIP
in the conf file. mod_perl rocks.
Note that you have to be careful not to patch it up *unless* it's coming from
a safe host. Otherwise, someone connecting to your backend server
directly might spoof an arbitrary address.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment PERL training!
--
Posted via a free Usenet account from http://www.teranews.com
| |
| exocrew@gmail.com 2006-11-13, 8:40 am |
| Hello,
Thanks Randal. Inspired by your reply, I came with a solution to
actually set the REMOTE_ADDR env/apache variable. I just used apache
functions (though limited, but useful), built into php.
An auto_prepend_file (yes, affects I/O performance a bit), is used and
it rewrites REMOTE_ADDR using apache_setenv() function.
Thanks everyone for your help. I think I can live with this solution
for now  .
Randal L. Schwartz wrote:
>
> exocrew> Apache 1 forwards request to (via mod_proxy) apache 2... Apache 2 runs
> exocrew> the php script and $_SERVER['REMOTE_ADDR'] shows the ip address of the
> exocrew> server (i.e. apache 1).
>
> If you were also running mod_perl (which has access to all
> phases, not like mod_php), you could run the following handler
> in your PerlPostReadRequestHandler phase:
>
> package My::PatchProxyIP;
>
> use strict;
>
> use Apache2::Const qw(DECLINED);
>
> sub handler {
> my $r = shift;
> return DECLINED unless my $xff = $r->headers_in->{'X-Forwarded-For'};
>
> for ($r->connection->remote_ip) {
> return DECLINED unless $_ eq "127.0.0.1"; # localhost proxy
> }
>
> if ($xff =~ s/([^,\s]+)\z//) {
> my $new = $1;
> $r->connection->remote_ip($new);
> ## $r->warn("patched IP to $new for ", $r->uri);
> $xff =~ s/([,\s]+)\z//;
> $r->headers_in->{'X-Forwarded-For'} = $xff;
> }
>
> return DECLINED;
> }
>
> 1;
>
> via
>
> PerlPostReadRequestHandler My::PatchProxyIP
>
> in the conf file. mod_perl rocks.
>
> Note that you have to be careful not to patch it up *unless* it's coming from
> a safe host. Otherwise, someone connecting to your backend server
> directly might spoof an arbitrary address.
>
> --
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
> <merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
> See PerlTraining.Stonehenge.com for onsite and open-enrollment PERL training!
>
> --
> Posted via a free Usenet account from http://www.teranews.com
|
|
|
|
|