mod_rpaf no longer resolves the right IPs for mod_status?

Question

mod_rpaf no longer resolves the right IPs for mod_status?

archon810 opened this issue 7 years ago · comments

Artem Russakovskii commented 7 years ago

Hello again,

I have recently upgraded from OpenSUSE 42.1 to 42.3, with which came a few changes to the software, namely Apache 2.4.16 -> 2.4.29 (but same issue happens with 2.4.23). mod_rpaf seems to be roughly the same - mod_rpaf-0.8.4~rc3. As far as I can tell, mod_status is part of Apache.

Before the upgrade, mod_rpaf was showing the right IPs in mod_status (server_name/server-status). After the upgrade, all I'm seeing is 127.0.0.1.

Here are 2 screenshots showing the differences. I checked the module loading order, and it seems to be the same - rpaf is listed first. What could be causing this?

Thank you.

Geoffrey McRae · Answer 1 · Thu Dec 14 2017 17:00:37 GMT+0800 (China Standard Time)

Please share your mod_rpaf configuraiton.

Artem Russakovskii · Answer 2 · Thu Dec 14 2017 18:21:02 GMT+0800 (China Standard Time)

@gnif The configuration is based on #47 (comment).

Here it is:

# Enable setting of IPs if behind a proxy.
# Accept local and Cloudflare IPs.
<IfModule mod_rpaf.c>
    RPAF_Enable On
    RPAF_SetHostName On
    RPAF_ProxyIPs 127.0.0.1 ::1 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 199.27.128.0/21 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2c0f:f248::/32 2a06:98c0::/29
    RPAF_Header X-Forwarded-For
</IfModule>

The correct IP shows up in apache logs, so I know mod_rpaf is working there. The logs use this mod_log_config definition:
LogFormat "%{REQUEST_SCHEME}x://%{Host}i %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{CF-Ray}i" proxy

Albaro Pereyra · Answer 3 · Wed Jan 24 2018 05:42:28 GMT+0800 (China Standard Time)

I have a similar issue on FreeBSD a recent upgrade broke my set-up. I used to have the mod enabled in the httpd.conf file then I had a .conf file in the Includes folder with the following lines: RPAFenable On\nRPAFproxyips 10.0.0.10

I realized the upgrade created a file in modules.d named 200_mod_rpaf.conf I renamed this file to 200_mod_rpaf.conf.bak and reconfigured my original .conf file. It now looks like the following:
<IfModule mod_rpaf.c>
# Enable reverse proxy add forward
RPAF_Enable On
# What IPs & bitmasked subnets to adjust requests for
RPAF_Header X-Real-Ip
RPAF_ProxyIPs 127.0.0.1 10.0.0.0/24
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
</IfModule>

The problem is that the access log, logs the local ip 10.0.0.10 but, if I send a message through a Wordpress form it passes the clients public IP.

I am using the default Log format:
LogFormat "%h %l %u %t "%r" %>s %b" common

Can you help me diagnose this problem?

What changed? or is it that my new config file is not the same as before?

Please advise,

renton · Answer 4 · Wed Apr 04 2018 00:38:21 GMT+0800 (China Standard Time)

@archon810 Try this patch

--- mod_rpaf.orig/mod_rpaf.c    2018-04-03 19:29:59.177354125 +0300
+++ mod_rpaf-1gb/mod_rpaf.c     2018-04-03 19:29:36.416814029 +0300
@@ -319,7 +319,11 @@
     apr_sockaddr_t *tmpsa;
     int ret = apr_sockaddr_info_get(&tmpsa, r->DEF_IP, APR_UNSPEC, tmpport, 0, tmppool);
     if (ret == APR_SUCCESS)
-        memcpy(r->DEF_ADDR, tmpsa, sizeof(apr_sockaddr_t));
+        #if AP_SERVER_MAJORVERSION_NUMBER >= 2 && AP_SERVER_MINORVERSION_NUMBER >= 4
+            r->DEF_ADDR = tmpsa;
+        #else
+            memcpy(r->DEF_ADDR, tmpsa, sizeof(apr_sockaddr_t));
+        #endif
     if (cfg->sethostname) {
         const char *hostvalue;
         if ((hostvalue = apr_table_get(r->headers_in, "X-Forwarded-Host")) ||

Artem Russakovskii · Answer 5 · Wed Apr 04 2018 02:51:58 GMT+0800 (China Standard Time)

@renton- Thanks for the patch, but I only use the repo-supplied (OpenSUSE) modules and apache, so I can't test this.

Geoffrey McRae · Answer 6 · Wed Apr 04 2018 06:59:02 GMT+0800 (China Standard Time)

@renton this will have unintended side effects, when tmppool is destroyed the pointer you are assigning to DEF_ADDR will be freed and Apache will be left trying to access now invalid memory.

Rangel Ivanov · Answer 7 · Wed Oct 09 2019 18:30:42 GMT+0800 (China Standard Time)

Hmm trying to figure out how to properly fix this and I'm a bit confused. I presume that the tmppool
will be present for the life time of the request? If that's the case I don't think this is an issue.

Another way is to use the request's r->pool to guarantee that r->DEF_ADDR will be freed
when the request_rec pool is destroyed?

@gnif Any suggestions?

Geoffrey McRae · Answer 8 · Wed Oct 09 2019 19:10:06 GMT+0800 (China Standard Time)

I am sorry @ironsteel I no longer have any production servers running this module nor the time anymore to maintain it. I do highly suggest you see if mod_realip can suit your requirements and if not, perhaps ask the developers for the features you require.

Andrei D. · Answer 9 · Wed Oct 09 2019 21:17:43 GMT+0800 (China Standard Time)

you should probably add a "not for production use" disclaimer.

Artem Russakovskii · Answer 10 · Tue Oct 15 2019 01:54:04 GMT+0800 (China Standard Time)

The module seems to be called mod_remoteip http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html, and I've successfully migrated to it for my purposes. Now apache status shows the correct IPs again, so I'm going to remove mod_rpaf from my module list.

Thanks @gnif for the tip.