Annotation of apache-modules/mod_ip_forwarding/mod_ip_forwarding.html, revision 1.1
1.1 ! kahan 1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
! 2: "http://www.w3.org/TR/REC-html40/loose.dtd">
! 3: <html>
! 4: <head>
! 5: <title>IP Forwarding Module: Compilation and Configuration</title>
! 6: </head>
! 7: <body>
! 8: <p>
! 9: <code>Created: 24/August/1998</code></p>
! 10:
! 11: <h1>Web Mirroring Project<br>
! 12: IP Forwarding Module: compilation and configuration</h1>
! 13:
! 14: <h2>Outline of the document:</h2>
! 15: <ul>
! 16: <li>
! 17: 1. <a href="#1">Purpose</a>
! 18: </li>
! 19: <li>
! 20: 2. <a href="#2">Compiling the IP Forwarding module into Apache</a>
! 21: </li>
! 22: <li>
! 23: 3. <a href="#3">Configuring the IP Forwarding module</a>
! 24: <ul>
! 25: <li>
! 26: 3.1 <a href="#3.1">New directives</a>
! 27: </li>
! 28: <li>
! 29: 3.2 <a href="#3.2">Example</a>
! 30: </li>
! 31: </ul>
! 32: </li>
! 33: </ul>
! 34:
! 35: <h3>Special considerations</h3>
! 36: <p>
! 37: This module is dependent on the Apache API. If you'd like to use the module on
! 38: an Apache version higher than v1.3.2, please <a href="mailto:jk@w3.org">mail
! 39: me</a>.</p>
! 40:
! 41: <h3>Notation</h3>
! 42: <dl>
! 43: <dt>apache/</dt>
! 44: <dd>
! 45: The apache source directory
! 46: </dd>
! 47: </dl>
! 48:
! 49: <h2><a name="1"></a>1. Purpose<a name="2."></a></h2>
! 50: <p>
! 51: The motivation for this module was to be able to forward the IP address of the
! 52: source of a request between a proxy and the final destination server. Under
! 53: normal circumstances, this information is lost and the server only sees the
! 54: proxy's IP address. This hampers access control based on IP addresses. This
! 55: module answers this limitation in a transparent and secure way.</p>
! 56: <p>
! 57: Proxies forward the IP address inside a custom HTTP header. A server only
! 58: accepts this new header from a list of user-defined authorized proxies. Once
! 59: the header is accepted, it's internally substituted with the proxy's IP
! 60: address, so that this value is used for all access control and CGI modules.
! 61: This doesn't affect the actual IP address used to answer the proxy (they are
! 62: stored in different places).</p>
! 63:
! 64: <h2><a name="1"></a>2. Compiling the IP forwarding module into Apache<a
! 65: name="1."></a></h2>
! 66: <p>
! 67: This is what I do to compile the new module under Apache 1.2.6. These steps
! 68: may change or not under newer versions of Apache (@@ this section isn't up to
! 69: date, but I use this module in Apache 1.3.4) .</p>
! 70: <ol>
! 71: <li>
! 72: Copy the file <a
! 73: href="../src/mod_w3c_ip_forwarding.c">mod_w3c_ip_forwarding.c</a> to the
! 74: apache/src directory.
! 75: <p>
! 76: </p>
! 77: </li>
! 78: <li><p>
! 79: This module has to have the highest priority among the access control modules.
! 80: To do so, make the following changes to your apache/src/Configuration file.
! 81: Search the following line and declare the new module under it:</p>
! 82:
! 83: <br>
! 84:
! 85: <pre># Module digest_module mod_digest.o
! 86:
! 87: <strong>
! 88: ##
! 89: ## Module for forwarding an IP-address
! 90: ##
! 91:
! 92: Module w3c_ip_forwarding_module mod_w3c_ip_forwarding.o</strong></pre>
! 93:
! 94: <br>
! 95:
! 96: </li>
! 97: <li>
! 98: Execute the apache/Configure script.
! 99: </li>
! 100: <li>
! 101: Compile the httpd
! 102: </li>
! 103: </ol>
! 104:
! 105: <h2><a name="2">3</a>. Configuring the IP Forwarding module</h2>
! 106:
! 107: <h3><a name="2.1"></a>3.1 New directives</h3>
! 108: <p>
! 109: The IP Forwarding module introduces three directives to Apache:</p>
! 110: <dl>
! 111: <dt>ForwardClientIPAddress [on/off default = off]</dt>
! 112: <dd>
! 113: Controls forwarding of the X_Client_Address header
! 114: </dd>
! 115: <dt>AcceptForwardedClientIPAddress [on/off default = off]</dt>
! 116: <dd>
! 117: Authorizes accepting an X_Client_Address header
! 118: </dd>
! 119: <dt>X_ClientIPAddrHeader string [default = X_Fwd_IP_Addr]</dt>
! 120: <dd>
! 121: Customizable header string for sending the client ip _addr
! 122: </dd>
! 123: <dt>AuthorizedProxies [space separated list of IP addresses]</dt>
! 124: <dd>
! 125: List of authorized proxies who can send an X_Client_Address header
! 126: </dd>
! 127: </dl>
! 128: <p>
! 129: Note that you need to set up this module on both the proxy server and the
! 130: final destination server. In addition, both servers must use the same
! 131: <code>X_ClientIPAddrHeader</code> value. Finally, the final destination server
! 132: must add the address of the proxy server using the
! 133: <code>AuthorizedProxies</code> directive. This protects against intruders
! 134: spoofing this header (unless they also spoof the IP address).</p>
! 135:
! 136: <h3><a name="3.2"></a>3.2 Example</h3>
! 137: <p>
! 138: Let's suppose I have a proxy on 134.129.20.116 and a server on 134.129.20.130.
! 139: In addition, my client is at 123.123.123.230. Here's a fragment of the proxy
! 140: and final server's configuration:</p>
! 141: <pre>## Proxy configuration
! 142: ProxyPass / http://tuvalu.inrialpes.fr:4050/
! 143: ForwardClientIPAddress On</pre>
! 144: <pre>## Server Configuration
! 145: AcceptForwardedClientIPAddress On
! 146: AuthorizedProxies 132.129.20.116</pre>
! 147: <p>
! 148: When the proxy contacts the server, it includes the following header:</p>
! 149: <pre>X_Forward_IP_Addr: 123.123.123.230</pre>
! 150: <p>
! 151: When the server calls a CGI-script, it sends the following environment
! 152: variable:</p>
! 153: <pre>REMOTE_ADDR: 123.123.123.230</pre>
! 154: <p>
! 155: Note that the value of the REMOTE_ADDR environment variable corresponds to the
! 156: one in the X_FWD_IP_ADDR header. Also, the X_ header was removed, as the final
! 157: server is not configured to forward the X_ header. To continue forwarding the
! 158: same header, you need to set the ForwardClientIPAddress in that server
! 159: too.</p>
! 160: <p>
! 161: If a non-authorized proxy sends the custom header, the module will remove it
! 162: from the headers and add the following entry in the error log:</p>
! 163: <pre>[Mon Aug 24 15:57:48 1998] Unauthorized Proxy (132.129.20.116) tried to forward
! 164: a client IP address (123.123.123.230)</pre>
! 165: <p>
! 166: </p>
! 167: <address>
! 168: <a href="mailto:jose@w3.org">Jose</a></address>
! 169:
! 170: <br>
! 171: $Author: kahan $ $Date: 1998/08/24 16:29:46 $
! 172: </body>
! 173: </html>
Webmaster