Annotation of apache-modules/mod_ip_forwarding/mod_ip_forwarding.html, revision 1.4
1.1 kahan 1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
2: "http://www.w3.org/TR/REC-html40/loose.dtd">
3: <html>
4: <head>
1.4 ! kahan 5: <meta http-equiv="Content-Type" content="">
! 6: <title>IP Forwarding Module: Compilation and Configuration</title>
1.1 kahan 7: </head>
1.4 ! kahan 8:
1.2 kahan 9: <body bgcolor="#ffffff">
10: <p><code>Created: 24/August/1998</code></p>
11: <hr>
1.1 kahan 12:
1.2 kahan 13: <h1 style="text-align: center"><span style="color: #E55500">mod_ip_forwarding
14: v1.1</span></h1>
15: <hr>
16:
17: <h2>Outline of the document</h2>
1.1 kahan 18: <ul>
1.4 ! kahan 19: <li>1. <a href="#1">Purpose</a></li>
! 20: <li>2. <a href="#2">Compiling the IP Forwarding module into Apache</a></li>
! 21: <li>3. <a href="#3">Configuring the IP Forwarding module</a>
! 22: <ul>
! 23: <li>3.1 <a href="#3.1">New directives</a></li>
! 24: <li>3.2 <a href="#3.2">Example</a></li>
! 25: </ul>
! 26: </li>
! 27: <li>4. <a href="#4.">Security Notes</a></li>
1.1 kahan 28: </ul>
29:
30: <h3>Special considerations</h3>
1.2 kahan 31:
1.4 ! kahan 32: <p>This module is dependent on the Apache API. If you'd like to use the
! 33: module on an Apache version higher than v1.3.6, please <a
1.2 kahan 34: href="mailto:jose@w3.org">mail me</a>.</p>
1.1 kahan 35:
36: <h3>Notation</h3>
37: <dl>
1.4 ! kahan 38: <dt>apache/</dt>
! 39: <dd>The apache source directory</dd>
1.1 kahan 40: </dl>
41:
42: <h2><a name="1"></a>1. Purpose<a name="2."></a></h2>
1.2 kahan 43:
44: <p>The motivation for this module was to be able to forward the IP address of
45: the source of a request between a proxy and the final destination server.
46: Under normal circumstances, this information is lost and the server only sees
47: the proxy's IP address. This hampers access control based on IP addresses.
48: This module answers this limitation in a transparent and secure way.</p>
49:
50: <p>Proxies forward the IP address inside a custom HTTP header. A server only
1.1 kahan 51: accepts this new header from a list of user-defined authorized proxies. Once
52: the header is accepted, it's internally substituted with the proxy's IP
53: address, so that this value is used for all access control and CGI modules.
54: This doesn't affect the actual IP address used to answer the proxy (they are
55: stored in different places).</p>
56:
1.4 ! kahan 57: <h2><a name="1"></a>2. Compiling the IP forwarding module into Apache</h2>
1.2 kahan 58:
1.4 ! kahan 59: <h3>2.1 Apache 2.4.x (or superior)</h3>
! 60:
! 61: <p>This is what I do to compile the new module under Apache 2.4.3. I compile
! 62: it as a shared library. You don't need to compile apache yourself anymore.
! 63: Isn't life beautiful? These steps may change or not under newer versions of
! 64: Apache.</p>
1.1 kahan 65: <ol>
1.4 ! kahan 66: <li>Copy the apache 2 file <a
! 67: href="../src/mod_w3c_ip_forwarding.c">mod_w3c_ip_forwarding.c</a> to a
! 68: local directory</li>
! 69: <li>Compile and install the module as follows:
! 70: <p><code># /path/to/this/tool/apxs2 -i -a -c
! 71: /path/to/mod_ip_forwarding.c</code></p>
! 72: </li>
! 73: </ol>
1.2 kahan 74:
1.4 ! kahan 75: <p>Note that module has to have the highest priority among the access control
! 76: modules. If you're using other proprietary access control modules, this
! 77: module should correspond to the last <code>activate-module </code>option.
! 78: Alternatively, you may use the Apache <code>ClearModuleList</code> and
! 79: <code>AddModule</code> configuration directives to reorder the modules. Also
! 80: note that you need to enable the <code>proxy</code> module too, as you want
! 81: to proxy requests.</p>
1.1 kahan 82:
1.4 ! kahan 83: <h3>2.2 Apache <a name="1." id="1.">1.3.x</a></h3>
1.1 kahan 84:
1.4 ! kahan 85: <p>This is what I do to compile the new module under Apache 1.3.4. These
! 86: steps may change or not under newer versions of Apache.</p>
! 87: <ol>
! 88: <li>Copy the apache (1) file <a
! 89: href="http://dev.w3.org/cvsweb/~checkout~/apache-modules/mod_ip_forwarding/mod_ip_forwarding.c?rev=1.4">mod_w3c_ip_forwarding.c</a>
! 90: to the apache/src/modules/extra directory.
! 91: <p><em><strong>Note that you must follow this link to get the correct
! 92: version of this file. The latest version will only compile on apache
! 93: 2.x..</strong></em></p>
! 94: </li>
! 95: <li>Compile the module as follows:
! 96: <p><code># cd apache</code></p>
! 97: <p><code># ./configure --prefix=/usr/local/apache \</code></p>
! 98: <p><code>--enable-module=proxy \</code></p>
! 99: <p><code>--activate-module=src/modules/extra/mod_ip_forwarding.c</code></p>
! 100: <p><code># make</code></p>
! 101: <p><code># make install</code></p>
! 102: </li>
1.1 kahan 103: </ol>
1.2 kahan 104: Note that module has to have the highest priority among the access control
1.4 ! kahan 105: modules. If you're using other proprietary access control modules, this
! 106: module should correspond to the last <code>activate-module </code>option.
1.2 kahan 107: Alternatively, you may use the Apache <code>ClearModuleList</code> and
108: <code>AddModule</code> configuration directives to reorder the modules. Also
1.4 ! kahan 109: note that you need to enable the <code>proxy</code> module too, as you want
! 110: to proxy requests.
! 111:
! 112: <h3>2.3 Debian package<em></em></h3>
! 113:
! 114: <p><em>(To be completed)</em></p>
1.2 kahan 115:
1.1 kahan 116: <h2><a name="2">3</a>. Configuring the IP Forwarding module</h2>
117:
118: <h3><a name="2.1"></a>3.1 New directives</h3>
1.2 kahan 119:
120: <p>The IP Forwarding module introduces three directives to Apache:</p>
1.1 kahan 121: <dl>
1.4 ! kahan 122: <dt>ForwardClientIPAddress [on/off default = off]</dt>
! 123: <dd>Controls forwarding of the X_Client_Address header</dd>
! 124: <dt>AcceptForwardedClientIPAddress [on/off default = off]</dt>
! 125: <dd>Authorizes accepting an X_Client_Address header</dd>
! 126: <dt>LogUnauthorizedIPForwarding [on/off default = on]</dt>
! 127: <dd>Logs any unauthorized attemp to forward an IP address</dd>
! 128: <dt>X_ClientIPAddrHeader string [default = X_Fwd_IP_Addr]</dt>
! 129: <dd>Customizable header string for sending the client ip _addr</dd>
! 130: <dt>AuthorizedProxies [space separated list of IP addresses]</dt>
! 131: <dd>List of authorized proxies who can send an X_Client_Address
! 132: header</dd>
1.1 kahan 133: </dl>
1.2 kahan 134:
135: <p>Note that you need to set up this module on both the proxy server and the
1.1 kahan 136: final destination server. In addition, both servers must use the same
1.4 ! kahan 137: <code>X_ClientIPAddrHeader</code> value. Finally, the final destination
! 138: server must add the address of the proxy server using the
1.1 kahan 139: <code>AuthorizedProxies</code> directive. This protects against intruders
140: spoofing this header (unless they also spoof the IP address).</p>
141:
1.3 kahan 142: <p><em>The following is a tip contributed by Paul Roe. Thanks!</em></p>
143:
1.4 ! kahan 144: <p>If you're using this module as an Apache precompiled module (dynamic
1.3 kahan 145: modules that are downloaded at runtime), you need to add the following
146: configuration directive:</p>
147: <dl>
1.4 ! kahan 148: <dt>LoadModule ip_forwarding_module
! 149: /path_to_apache_modules/mod_ip_forwarding.so</dt>
1.3 kahan 150: </dl>
1.4 ! kahan 151:
1.3 kahan 152: <p>Note that the Debian apache-common-1.3.12-1 package seems to have renamed
1.4 ! kahan 153: this module as w3c_ip_forwarding_module. In this case, you need to load the
1.3 kahan 154: precompiled module as follows:</p>
155: <dl>
1.4 ! kahan 156: <dt>LoadModule w3c_ip_forwarding_module
! 157: /path_to_apache_modules/mod_ip_forwarding.so</dt>
1.3 kahan 158: </dl>
159:
1.1 kahan 160: <h3><a name="3.2"></a>3.2 Example</h3>
1.2 kahan 161:
162: <p>Let's suppose I have a proxy on 134.129.20.116 and a server on
163: 134.129.20.130. In addition, my client is at 123.123.123.123. Here's a
164: fragment of the proxy and final server's configuration:</p>
165: <pre>## Proxy configuration (may also be setup using mod_rewrite)
166: ProxyPass / http://134.129.20.130/
1.1 kahan 167: ForwardClientIPAddress On</pre>
168: <pre>## Server Configuration
169: AcceptForwardedClientIPAddress On
170: AuthorizedProxies 132.129.20.116</pre>
1.2 kahan 171:
172: <p>When the proxy contacts the server, it includes the following header:</p>
173: <pre>X_Forward_IP_Addr: 123.123.123.123</pre>
174:
175: <p>When the server calls a CGI-script, it sends the following environment
1.1 kahan 176: variable:</p>
1.2 kahan 177: <pre>REMOTE_ADDR: 123.123.123.123</pre>
178:
179: <p>Note that the value of the REMOTE_ADDR environment variable corresponds to
180: the one in the X_FWD_IP_ADDR header. Also, the X_ header was removed, as the
181: final server is not configured to forward the X_ header. To continue
1.4 ! kahan 182: forwarding the same header, you need to set the ForwardClientIPAddress in
! 183: that server too.</p>
1.2 kahan 184:
185: <p>If a non-authorized proxy (say,<code> 132.129.20.116</code>) sends the
186: custom header, the module will remove it from the headers and add the
187: following entry in the error log:</p>
1.1 kahan 188: <pre>[Mon Aug 24 15:57:48 1998] Unauthorized Proxy (132.129.20.116) tried to forward
1.2 kahan 189: a client IP address (123.123.123.123)</pre>
190:
191: <h2><a name="4.">4.</a> Security notes</h2>
192:
193: <p>This module does not implement a full-blown secure ip@ forwarding
194: mechanism. In particular, there are two weak security points:</p>
195: <ul>
1.4 ! kahan 196: <li><strong>IP spoofing.</strong> There's no protection against an
! 197: intruder's spoofing of the IP@ of an authorized proxy. Under such an
! 198: attack, the intruder may send any IP@ he wants in the<code>
! 199: X_ClientIPAddrHeader</code> heeader. This attack is less important when
! 200: the authorized proxy is on the border of a firewall and the destination
! 201: server is behind the firewall.</li>
! 202: <li><strong>Denial of service</strong>. The module generates a log message
! 203: each time that it detects an an IP@ forwarding by an unauthorized proxy.
! 204: An intruder may attempt filling up a server's logs with a flood of
! 205: unauthorized IP@ forwarding requests. If this attacks occurs, you can
! 206: temporarily turn off the logging by means of the module's
! 207: <code>LogUnauthorizedIPForwarding</code> directive.</li>
1.2 kahan 208: </ul>
209:
210: <p></p>
211: <hr>
1.1 kahan 212: <address>
1.4 ! kahan 213: <a href="mailto:jose@w3.org">Jose</a>
! 214: </address>
! 215: $Author: kahan $ $Date: Wednesday 01 February 2006 - 18:31:07$</body>
1.1 kahan 216: </html>
Webmaster