Home / server / Questions / 329893
Accepted
ceejayoz
Asked: 2011-11-11 12:08:05 +0800 CST

mod_rpaf behind an Amazon ELB

  • 772

I've got mod_rpaf installed to get the user's IP address from the X-Forwarded-For header in PHP, Apache logs, etc.

Unfortunately, it looks like I have to explicitly set which IPs that header will be respected from via the RPAFproxy_ips setting.

Given that ELBs don't have a static IP, how can I tell mod_rpaf to accept the header from any IP, or even any 10.* IP?

amazon-elb mod-rpaf

3 Answers

  1. Best Answer

    You can try to use mod_extract_forwarded instead of mod_rpaf — it supports MEFaccept all (and if you use RHEL/CentOS/other-clone, the package is already in EPEL). One downside of mod_extract_forwarded is that the X-Forwarded-For and Forwarded-For header names are hardcoded and not configurable like in mod_rpaf.

    There is no support for IP ranges even in mod_extract_forwarded, but you may configure a firewall to allow direct access to Apache only from some IP ranges, or check the MEF_RPROXY_ADDR environment variable in mod_rewrite rules.

    After some more thinking about this I found a problem with this mod_extract_forwarded config — while mod_rpaf does not support chains of multiple proxies and takes just the last address from the X-Forwarded-For header, mod_extract_forwarded attempts to support this and uses the last address which does not belong to the trusted proxy list (so that if the request has passed through multiple trusted proxies, the actual client address will be used instead of the second-to-last proxy address). Unfortunately, using MEFaccept all means that mod_extract_forwarded will trust all proxies, therefore if ELB proxies just append their data to the X-Forwarded-For header, and not replace it completely, clients could pass any spoofed IP by sending requests with their own X-Forwarded-For headers.

    However, I have found yet another module to parse X-Forwarded-For headers. Recent (unstable) Apache versions have the mod_remoteip module, which apparently supports subnet masks for proxy addresses. There is a backport to Apache 2.2 and a spec file for Fedora; unfortunately, the request to include package in Fedora is stalled.

    • 5

  2. It doesn't look like you can, from a quick reading of the source. You could hack up the code pretty easily to just accept any source (by neutering the check at line 163 that looks like is_in_array(r->connection->remote_ip, cfg->proxy_ips) == 1, but that seems like a security risk.

    Is there some way you can ask Amazon what the load balancers you are behind are at runtime? If so you could generate the config on the fly...

    • 1

  3. I just discovered that CloudFlare have created their own Apache module for doing this sort of thing and it does support CIDR notation for ranges.

    The IP addresses are hard-coded in the source code but since they provide the source code it's easy enough to add your own range in there.

    A comment in the source code indicates that it was derived from mod_remoteip.c which is available in Apache 2.3 (or 2.5 depending on whether you look at the URL or the title of that page.).

    • 0