Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Catalyst>
  3. Users
catalyst psgi behind 2 apache reverse proxies
bauch at zsi
Jul 8, 2015, 7:46 AM
Post #1 of 6 (3410 views)
Permalink
dear all,

another deployment question :)
suroundings: catalyst, psgi, starman, apache2.
but in our setup there are *two* apache2s doing reverse proxies before the requests reaches the starman server.

so what happend:

the http headers look like this (for catalyst)
X-FORWARDED-FOR: <clients-ip>, <proxy2-ip>
REQUEST_IP_ADDRESS: <proxy2-ip>

what Plack::Middleware::ReverseProxy does it puts the LAST ip in the forwarded-for header into
$env->{REMOTE_ADDR}
which is actually not the IP of the client.
why is that happening ?
shouldn't it take the first IP, so catalyst has access to the original requests IP ?

my apache proxy configs look like this...
is there something wrong with the proxies config ?

thanks for hints!
cheers, bernhard




--------------------
proxy 1 (connectivity from "outside")-

<VirtualHost *:80>

ServerName publicdomain.com

ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://10.0.200.8:80/
ProxyPassReverse / http://10.0.200.8:80/
ProxyPreserveHost On
</VirtualHost>

--------------------
proxy 2 (connectivity from "inside")


<VirtualHost *:80>
ServerName publicdomain.com

# don't loose time with IP address lookups
HostnameLookups Off
# helpful for named virtual hosts
UseCanonicalName Off

# ---------------------------
# HANDLE STATIC FILES
# ---------------------------
Alias /static /usr/local/....MyApp/root/static
<Location /static>
SetHandler default-handler
# allow access (thats new in apache 2.4. see http://httpd.apache.org/docs/2.4/upgrading.html#access)
Require all granted
</Location>
ProxyPass /static/ !

# ---------------------------
# DYNAMIC REQUESTS (starman)
# ---------------------------
RewriteEngine On
ProxyPreserveHost On

ProxyPass / http://localhost:5000/
ProxyPassReverse / http://localhost:5000/
</VirtualHost>






Bernhard Bauch
Webdevelopment

ZSI-Zentrum für Soziale Innovation GmbH
Centre for Social Innovation

Linke Wienzeile 246, A-1150 Wien, Austria
Mail: bauch@zsi.at
Skype: berni-zsi

Attached Files:

Re: catalyst psgi behind 2 apache reverse proxies [ In reply to ]
rob at intelcompute
Jul 8, 2015, 7:51 AM
Post #2 of 6 (3367 views)
Permalink
Do you have...

__PACKAGE__->config(
using_frontend_proxy => 1,
);

?


On 07/08/2015 03:46 PM, Bernhard Bauch wrote:
> dear all,
>
> another deployment question :)
> suroundings: catalyst, psgi, starman, apache2.
> but in our setup there are *two* apache2s doing reverse proxies before
> the requests reaches the starman server.
>
> so what happend:
>
> the http headers look like this (for catalyst)
> X-FORWARDED-FOR: <clients-ip>, <proxy2-ip>
> REQUEST_IP_ADDRESS: <proxy2-ip>
>
> what Plack::Middleware::ReverseProxy does it puts the LAST ip in the
> forwarded-for header into
> $env->{REMOTE_ADDR}
> which is actually not the IP of the client.
> why is that happening ?
> shouldn't it take the first IP, so catalyst has access to the original
> requests IP ?
>
> my apache proxy configs look like this...
> is there something wrong with the proxies config ?
>
> thanks for hints!
> cheers, bernhard
>
>
>
>
> --------------------
> proxy 1 (connectivity from "outside")-
>
> <VirtualHost *:80>
>
> ServerName publicdomain.com <http://publicdomain.com>
>
> ProxyRequests Off
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
> ProxyPass / http://10.0.200.8:80/
> ProxyPassReverse / http://10.0.200.8:80/
> ProxyPreserveHost On
> </VirtualHost>
>
> --------------------
> proxy 2 (connectivity from "inside")
>
>
> <VirtualHost *:80>
> ServerName publicdomain.com <http://publicdomain.com>
>
> # don't loose time with IP address lookups
> HostnameLookups Off
> # helpful for named virtual hosts
> UseCanonicalName Off
>
> # ---------------------------
> # HANDLE STATIC FILES
> # ---------------------------
> Alias /static /usr/local/....MyApp/root/static
> <Location /static>
> SetHandler default-handler
> # allow access (thats new in apache 2.4. see
> http://httpd.apache.org/docs/2.4/upgrading.html#access)
> Require all granted
> </Location>
> ProxyPass /static/ !
>
> # ---------------------------
> # DYNAMIC REQUESTS (starman)
> # ---------------------------
> RewriteEngine On
> ProxyPreserveHost On
>
> ProxyPass / http://localhost:5000/
> ProxyPassReverse / http://localhost:5000/
> </VirtualHost>
>
>
>
>
>
> ---
> Bernhard Bauch
> Webdevelopment
>
> ZSI-Zentrum für Soziale Innovation GmbH
> Centre for Social Innovation
>
> Linke Wienzeile 246, A-1150 Wien, Austria
> Mail: bauch@zsi.at <mailto:bauch@zsi.at>
> Skype: berni-zsi
>
>
>
>
>
>
> _______________________________________________
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
Re: catalyst psgi behind 2 apache reverse proxies [ In reply to ]
bauch at zsi
Jul 8, 2015, 7:55 AM
Post #3 of 6 (3351 views)
Permalink
Ahh yes, sure i have.
otherwise $c->uri_for would not produce useless urls.


On 08 Jul 2015, at 16:51, Robert Brown <rob@intelcompute.com> wrote:

> Do you have...
>
> __PACKAGE__->config(
> using_frontend_proxy => 1,
> );
>
> ?
>
>
> On 07/08/2015 03:46 PM, Bernhard Bauch wrote:
>> dear all,
>>
>> another deployment question :)
>> suroundings: catalyst, psgi, starman, apache2.
>> but in our setup there are *two* apache2s doing reverse proxies before the requests reaches the starman server.
>>
>> so what happend:
>>
>> the http headers look like this (for catalyst)
>> X-FORWARDED-FOR: <clients-ip>, <proxy2-ip>
>> REQUEST_IP_ADDRESS: <proxy2-ip>
>>
>> what Plack::Middleware::ReverseProxy does it puts the LAST ip in the forwarded-for header into
>> $env->{REMOTE_ADDR}
>> which is actually not the IP of the client.
>> why is that happening ?
>> shouldn't it take the first IP, so catalyst has access to the original requests IP ?
>>
>> my apache proxy configs look like this...
>> is there something wrong with the proxies config ?
>>
>> thanks for hints!
>> cheers, bernhard
>>
>>
>>
>>
>> --------------------
>> proxy 1 (connectivity from "outside")-
>>
>> <VirtualHost *:80>
>>
>> ServerName publicdomain.com
>>
>> ProxyRequests Off
>> <Proxy *>
>> Order deny,allow
>> Allow from all
>> </Proxy>
>> ProxyPass / http://10.0.200.8:80/
>> ProxyPassReverse / http://10.0.200.8:80/
>> ProxyPreserveHost On
>> </VirtualHost>
>>
>> --------------------
>> proxy 2 (connectivity from "inside")
>>
>>
>> <VirtualHost *:80>
>> ServerName publicdomain.com
>>
>> # don't loose time with IP address lookups
>> HostnameLookups Off
>> # helpful for named virtual hosts
>> UseCanonicalName Off
>>
>> # ---------------------------
>> # HANDLE STATIC FILES
>> # ---------------------------
>> Alias /static /usr/local/....MyApp/root/static
>> <Location /static>
>> SetHandler default-handler
>> # allow access (thats new in apache 2.4. see http://httpd.apache.org/docs/2.4/upgrading.html#access)
>> Require all granted
>> </Location>
>> ProxyPass /static/ !
>>
>> # ---------------------------
>> # DYNAMIC REQUESTS (starman)
>> # ---------------------------
>> RewriteEngine On
>> ProxyPreserveHost On
>>
>> ProxyPass / http://localhost:5000/
>> ProxyPassReverse / http://localhost:5000/
>> </VirtualHost>
>>
>>
>>
>>
>>
>> —
>> Bernhard Bauch
>> Webdevelopment
>>
>> ZSI-Zentrum für Soziale Innovation GmbH
>> Centre for Social Innovation
>>
>> Linke Wienzeile 246, A-1150 Wien, Austria
>> Mail: bauch@zsi.at
>> Skype: berni-zsi
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> List: Catalyst@lists.scsys.co.uk
>> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
>> Dev site: http://dev.catalyst.perl.org/
>
> !DSPAM:559d3921153867891315088!
> _______________________________________________
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
>
> !DSPAM:559d3921153867891315088!


Bernhard Bauch
Webdevelopment

ZSI-Zentrum für Soziale Innovation GmbH
Centre for Social Innovation

Linke Wienzeile 246, A-1150 Wien, Austria
Mail: bauch@zsi.at
Skype: berni-zsi

Attached Files:

Re: catalyst psgi behind 2 apache reverse proxies [ In reply to ]
bauch at zsi
Jul 8, 2015, 7:58 AM
Post #4 of 6 (3347 views)
Permalink
sorry.
s =~ /less/ful/

On 08 Jul 2015, at 16:55, Bernhard Bauch <bauch@zsi.at> wrote:

> Ahh yes, sure i have.
> otherwise $c->uri_for would not produce useless urls.
>
>
> On 08 Jul 2015, at 16:51, Robert Brown <rob@intelcompute.com> wrote:
>
>> Do you have...
>>
>> __PACKAGE__->config(
>> using_frontend_proxy => 1,
>> );
>>
>> ?
>>
>>
>> On 07/08/2015 03:46 PM, Bernhard Bauch wrote:
>>> dear all,
>>>
>>> another deployment question :)
>>> suroundings: catalyst, psgi, starman, apache2.
>>> but in our setup there are *two* apache2s doing reverse proxies before the requests reaches the starman server.
>>>
>>> so what happend:
>>>
>>> the http headers look like this (for catalyst)
>>> X-FORWARDED-FOR: <clients-ip>, <proxy2-ip>
>>> REQUEST_IP_ADDRESS: <proxy2-ip>
>>>
>>> what Plack::Middleware::ReverseProxy does it puts the LAST ip in the forwarded-for header into
>>> $env->{REMOTE_ADDR}
>>> which is actually not the IP of the client.
>>> why is that happening ?
>>> shouldn't it take the first IP, so catalyst has access to the original requests IP ?
>>>
>>> my apache proxy configs look like this...
>>> is there something wrong with the proxies config ?
>>>
>>> thanks for hints!
>>> cheers, bernhard
>>>
>>>
>>>
>>>
>>> --------------------
>>> proxy 1 (connectivity from "outside")-
>>>
>>> <VirtualHost *:80>
>>>
>>> ServerName publicdomain.com
>>>
>>> ProxyRequests Off
>>> <Proxy *>
>>> Order deny,allow
>>> Allow from all
>>> </Proxy>
>>> ProxyPass / http://10.0.200.8:80/
>>> ProxyPassReverse / http://10.0.200.8:80/
>>> ProxyPreserveHost On
>>> </VirtualHost>
>>>
>>> --------------------
>>> proxy 2 (connectivity from "inside")
>>>
>>>
>>> <VirtualHost *:80>
>>> ServerName publicdomain.com
>>>
>>> # don't loose time with IP address lookups
>>> HostnameLookups Off
>>> # helpful for named virtual hosts
>>> UseCanonicalName Off
>>>
>>> # ---------------------------
>>> # HANDLE STATIC FILES
>>> # ---------------------------
>>> Alias /static /usr/local/....MyApp/root/static
>>> <Location /static>
>>> SetHandler default-handler
>>> # allow access (thats new in apache 2.4. see http://httpd.apache.org/docs/2.4/upgrading.html#access)
>>> Require all granted
>>> </Location>
>>> ProxyPass /static/ !
>>>
>>> # ---------------------------
>>> # DYNAMIC REQUESTS (starman)
>>> # ---------------------------
>>> RewriteEngine On
>>> ProxyPreserveHost On
>>>
>>> ProxyPass / http://localhost:5000/
>>> ProxyPassReverse / http://localhost:5000/
>>> </VirtualHost>
>>>
>>>
>>>
>>>
>>>
>>> —
>>> Bernhard Bauch
>>> Webdevelopment
>>>
>>> ZSI-Zentrum für Soziale Innovation GmbH
>>> Centre for Social Innovation
>>>
>>> Linke Wienzeile 246, A-1150 Wien, Austria
>>> Mail: bauch@zsi.at
>>> Skype: berni-zsi
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> List: Catalyst@lists.scsys.co.uk
>>> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>>> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
>>> Dev site: http://dev.catalyst.perl.org/
>>
>> !DSPAM:559d3921153867891315088!
>> _______________________________________________
>> List: Catalyst@lists.scsys.co.uk
>> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
>> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
>> Dev site: http://dev.catalyst.perl.org/
>>
>>
>> !DSPAM:559d3921153867891315088!
>
> —
> Bernhard Bauch
> Webdevelopment
>
> ZSI-Zentrum für Soziale Innovation GmbH
> Centre for Social Innovation
>
> Linke Wienzeile 246, A-1150 Wien, Austria
> Mail: bauch@zsi.at
> Skype: berni-zsi
>
>
>
>
> _______________________________________________
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
>
> !DSPAM:559d3a29153861341220191!


Bernhard Bauch
Webdevelopment

ZSI-Zentrum für Soziale Innovation GmbH
Centre for Social Innovation

Linke Wienzeile 246, A-1150 Wien, Austria
Mail: bauch@zsi.at
Skype: berni-zsi

Attached Files:

Re: catalyst psgi behind 2 apache reverse proxies [ In reply to ]
pagaltzis at gmx
Jul 8, 2015, 8:04 PM
Post #5 of 6 (3357 views)
Permalink
* Bernhard Bauch <bauch@zsi.at> [2015-07-08 16:50]:
> suroundings: catalyst, psgi, starman, apache2.
> but in our setup there are *two* apache2s doing reverse proxies before
> the requests reaches the starman server.
>
> so what happend:
>
> the http headers look like this (for catalyst)
> X-FORWARDED-FOR: <clients-ip>, <proxy2-ip>
> REQUEST_IP_ADDRESS: <proxy2-ip>
>
> what Plack::Middleware::ReverseProxy does it puts the LAST ip in the
> forwarded-for header into
> $env->{REMOTE_ADDR}
> which is actually not the IP of the client.
> why is that happening ?

Because any other IPs could be untrustworthy. The client could include
an X-Forwarded-For header with bogus content, or there could be a proxy
legimitately sitting between you and the ultimate client (e.g. a caching
proxy run by the user’s ISP)… there are many scenarios.

> shouldn't it take the first IP, so catalyst has access to the original
> requests IP ?

Absolutely not. It cannot know whether that IP is trustworthy.

> my apache proxy configs look like this...
> is there something wrong with the proxies config ?

IMO, yes.

I think the correct solution here is to encode into your deployment
infrastructure the knowledge that a) there are two proxies and b) that
they are both trusted.

Using the ReverseProxy means you have already told the app that the
app-facing proxy exists and is trusted.

But also telling it that the world-facing proxy exists and is trusted
would IMO put too much knowledge about your specific infrastructure
layout in the app.

Instead you should tell the app-facing proxy that the world-facing
proxy is trusted. That way the different parts of your infrastructure
are more self-contained and independent.

Unfortunately I don’t speak Apache very well any more but I *think* what
you want is to load mod_remoteip on proxy 2 and then add something like

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.0.200.0/24

to its config.

Or maybe you have to configure the proxy 2 to just leave X-Forwarded-For
alone (which implicitly means it trusts whatever proxy 1 has put there).
(No idea if that’s possible or how.)

I can’t say what exactly will work but something along these lines would
be my approach.

> thanks for hints!
> cheers, bernhard

Hope this helps.

Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>

_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: catalyst psgi behind 2 apache reverse proxies [ In reply to ]
bauch at zsi
Jul 10, 2015, 6:23 AM
Post #6 of 6 (3355 views)
Permalink
Yess great !
using apachemod remote IP and

> RemoteIPHeader X-Forwarded-For
> RemoteIPInternalProxy 10.0.200.0/24
on the 2nd proxy helped!

what also helped telling the second apache not to thought the headers with:
ProxyAddHeaders Off
(apache: Available in version 2.3.10 and later)

thanks for help:)
cheers, bernhard

On 09 Jul 2015, at 05:04, Aristotle Pagaltzis <pagaltzis@gmx.de> wrote:

> * Bernhard Bauch <bauch@zsi.at> [2015-07-08 16:50]:
>> suroundings: catalyst, psgi, starman, apache2.
>> but in our setup there are *two* apache2s doing reverse proxies before
>> the requests reaches the starman server.
>>
>> so what happend:
>>
>> the http headers look like this (for catalyst)
>> X-FORWARDED-FOR: <clients-ip>, <proxy2-ip>
>> REQUEST_IP_ADDRESS: <proxy2-ip>
>>
>> what Plack::Middleware::ReverseProxy does it puts the LAST ip in the
>> forwarded-for header into
>> $env->{REMOTE_ADDR}
>> which is actually not the IP of the client.
>> why is that happening ?
>
> Because any other IPs could be untrustworthy. The client could include
> an X-Forwarded-For header with bogus content, or there could be a proxy
> legimitately sitting between you and the ultimate client (e.g. a caching
> proxy run by the user’s ISP)… there are many scenarios.
>
>> shouldn't it take the first IP, so catalyst has access to the original
>> requests IP ?
>
> Absolutely not. It cannot know whether that IP is trustworthy.
>
>> my apache proxy configs look like this...
>> is there something wrong with the proxies config ?
>
> IMO, yes.
>
> I think the correct solution here is to encode into your deployment
> infrastructure the knowledge that a) there are two proxies and b) that
> they are both trusted.
>
> Using the ReverseProxy means you have already told the app that the
> app-facing proxy exists and is trusted.
>
> But also telling it that the world-facing proxy exists and is trusted
> would IMO put too much knowledge about your specific infrastructure
> layout in the app.
>
> Instead you should tell the app-facing proxy that the world-facing
> proxy is trusted. That way the different parts of your infrastructure
> are more self-contained and independent.
>
> Unfortunately I don’t speak Apache very well any more but I *think* what
> you want is to load mod_remoteip on proxy 2 and then add something like
>
> RemoteIPHeader X-Forwarded-For
> RemoteIPInternalProxy 10.0.200.0/24
>
> to its config.
>
> Or maybe you have to configure the proxy 2 to just leave X-Forwarded-For
> alone (which implicitly means it trusts whatever proxy 1 has put there).
> (No idea if that’s possible or how.)
>
> I can’t say what exactly will work but something along these lines would
> be my approach.
>
>> thanks for hints!
>> cheers, bernhard
>
> Hope this helps.
>
> Regards,
> --
> Aristotle Pagaltzis // <http://plasmasturm.org/>
>
> _______________________________________________
> List: Catalyst@lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
>
> !DSPAM:559de510153869509620312!
>
>


Bernhard Bauch
Webdevelopment

ZSI-Zentrum für Soziale Innovation GmbH
Centre for Social Innovation

Linke Wienzeile 246, A-1150 Wien, Austria
Mail: bauch@zsi.at
Skype: berni-zsi

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal