www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

Further clarify the naming of the entity that directly connects to us by

Browse Source 
calling that entity a client instead of a peer.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1214015 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Graham Leggett
2011-12-14 01:10:52 +00:00
parent 8cea5c4275
commit cb21a0dbcc
16 changed files with 75 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docs/manual/developer/new_api_2_4.xml
View File

@@ -153,9 +153,9 @@
<li>Modules that load other modules later than the EXEC_ON_READ config
reading stage need to call ap_reserve_module_slots() or
ap_reserve_module_slots_directive() in their pre_config hook.</li>
<li>The client IP address per request can now be specified independently
of the peer IP address of the connection for the benefit of load
balancers</li>
<li>The useragent IP address per request can now be specified
independently of the client IP address of the connection for
the benefit of load balancers</li>
</ul>
</section>
@@ -459,8 +459,8 @@
<dd>This has been renamed to ap_unixd_config.</dd>
<dt><code>conn_rec->remote_ip and conn_rec->remote_addr</code></dt>
<dd>In order to distinguish between the peer IP address of the
connection, and the client IP address of the request potentially
<dd>In order to distinguish between the client IP address of the
connection, and the useragent IP address of the request potentially
overridden by a load balancer or proxy, the above variables have
been renamed. If a module makes reference to either of the above
variables, they need to be replaced with one of the following two
@@ -471,10 +471,10 @@
separated from the server by a transparent load balancer or
proxy, use request_rec->useragent_ip and
request_rec->useragent_addr.</li>
<li>When you require the IP address of the peer that is
connected directly to the server, which might be the client or
<li>When you require the IP address of the client that is
connected directly to the server, which might be the useragent or
might be the load balancer or proxy itself, use
conn_rec->peer_ip and conn_rec->peer_addr.</li>
conn_rec->client_ip and conn_rec->client_addr.</li>
</ul>
</dd>
</dl>

53
docs/manual/mod/mod_remoteip.xml
View File

@@ -23,8 +23,8 @@
<modulesynopsis metafile="mod_remoteip.xml.meta">
<name>mod_remoteip</name>
<description>Replaces the original peer IP address for the connection
with the client IP address list presented by a proxies or a load balancer
<description>Replaces the original client IP address for the connection
with the useragent IP address list presented by a proxies or a load balancer
via the request headers.
</description>
@@ -33,26 +33,27 @@ via the request headers.
<identifier>remoteip_module</identifier>
<summary>
<p>This module is used to treat the client which initiated the
request as the originating client as identified by httpd for the
purposes of authorization and logging, even where that client is
<p>This module is used to treat the useragent which initiated the
request as the originating useragent as identified by httpd for the
purposes of authorization and logging, even where that useragent is
behind a load balancer, front end server, or proxy server.</p>
<p>The module overrides the peer IP address for the connection
with the client IP address reported in the request header configured
<p>The module overrides the client IP address for the connection
with the useragent IP address reported in the request header configured
with the <directive>RemoteIPHeader</directive> directive.</p>
<p>Once replaced as instructed, this overridden client IP address is
<p>Once replaced as instructed, this overridden useragent IP address is
then used for the <module>mod_authz_host</module>
<directive module="mod_authz_host" type="section">Require ip</directive>
feature, is reported by <module>mod_status</module>, and is recorded by
<module>mod_log_config</module> <code>%a</code> and <module>core</module>
<code>%a</code> format strings. The underlying peer IP of the connection
<code>%a</code> format strings. The underlying client IP of the connection
is available in the <code>%{c}a</code> format string.</p>
<note type="warning">It is critical to only enable this behavior from
intermediate hosts (proxies, etc) which are trusted by this server, since
it is trivial for the remote client to impersonate another client.</note>
it is trivial for the remote useragent to impersonate another
useragent.</note>
</summary>
<seealso><module>mod_authz_host</module></seealso>
@@ -61,22 +62,22 @@ via the request headers.
<section id="processing"><title>Remote IP Processing</title>
<p>Apache by default identifies the client with the connection's
peer_ip value, and the connection remote_host and remote_logname are
<p>Apache by default identifies the useragent with the connection's
client_ip value, and the connection remote_host and remote_logname are
derived from this value. These fields play a role in authentication,
authorization and logging and other purposes by other loadable
modules.</p>
<p>mod_remoteip overrides the peer IP of the connection with the
advertised client IP as provided by a proxy or load balancer, for
<p>mod_remoteip overrides the client IP of the connection with the
advertised useragent IP as provided by a proxy or load balancer, for
the duration of the request. A load balancer might establish a long
lived keepalive connection with the server, and each request will
have the correct client IP, even though the underlying peer IP
have the correct useragent IP, even though the underlying client IP
address of the load balancer remains unchanged.</p>
<p>When multiple, comma delimited client IP addresses are listed in the
<p>When multiple, comma delimited useragent IP addresses are listed in the
header value, they are processed in Right-to-Left order. Processing
halts when a given client IP address is not trusted to present the
halts when a given useragent IP address is not trusted to present the
preceding IP address. The header field is updated to this remaining
list of unconfirmed IP addresses, or if all IP addresses were trusted,
this header is removed from the request altogether.</p>
@@ -102,15 +103,15 @@ via the request headers.
<directivesynopsis>
<name>RemoteIPHeader</name>
<description>Declare the header field which should be parsed for client IP addresses</description>
<description>Declare the header field which should be parsed for useragent IP addresses</description>
<syntax>RemoteIPHeader <var>header-field</var></syntax>
<contextlist><context>server config</context><context>virtual host</context></contextlist>
<usage>
<p>The <directive>RemoteIPHeader</directive> directive triggers
<module>mod_remoteip</module> to treat the value of the specified
<var>header-field</var> header as the client IP address, or list
of intermediate client IP addresses, subject to further configuration
<var>header-field</var> header as the useragent IP address, or list
of intermediate useragent IP addresses, subject to further configuration
of the <directive>RemoteIPInternalProxy</directive> and
<directive>RemoteIPTrustedProxy</directive> directives. Unless these
other directives are used, <module>mod_remoteip</module> will trust all
@@ -135,7 +136,7 @@ via the request headers.
<usage>
<p>The <directive>RemoteIPInternalProxy</directive> directive adds one
or more addresses (or address blocks) to trust as presenting a valid
RemoteIPHeader value of the client IP. Unlike the
RemoteIPHeader value of the useragent IP. Unlike the
<directive>RemoteIPTrustedProxy</directive> directive, any IP address
presented in this header, including private intranet addresses, are
trusted when passed from these proxies.</p>
@@ -157,7 +158,7 @@ via the request headers.
<usage>
<p>The <directive>RemoteIPInternalProxyList</directive> directive specifies
a file parsed at startup, and builds a list of addresses (or address blocks)
to trust as presenting a valid RemoteIPHeader value of the client IP.</p>
to trust as presenting a valid RemoteIPHeader value of the useragent IP.</p>
<p>The '<code>#</code>' hash character designates a comment line, otherwise
each whitespace or newline separated entry is processed identically to
@@ -185,7 +186,7 @@ via the request headers.
<usage>
<p>The <directive>RemoteIPProxiesHeader</directive> directive specifies
a header into which <module>mod_remoteip</module> will collect a list of
all of the intermediate client IP addresses trusted to resolve the client
all of the intermediate client IP addresses trusted to resolve the useragent
IP of the request. Note that intermediate
<directive>RemoteIPTrustedProxy</directive> addresses are recorded in
this header, while any intermediate
@@ -207,11 +208,11 @@ via the request headers.
<usage>
<p>The <directive>RemoteIPTrustedProxy</directive> directive adds one
or more addresses (or address blocks) to trust as presenting a valid
RemoteIPHeader value of the client IP. Unlike the
RemoteIPHeader value of the useragent IP. Unlike the
<directive>RemoteIPInternalProxy</directive> directive, any intranet
or private IP address reported by such proxies, including the 10/8, 172.16/12,
192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public
2000::/3 block) are not trusted as the client IP, and are left in the
2000::/3 block) are not trusted as the useragent IP, and are left in the
<directive>RemoteIPHeader</directive> header's value.</p>
<example><title>Trusted (Load Balancer) Example</title>
@@ -231,7 +232,7 @@ via the request headers.
<usage>
<p>The <directive>RemoteIPTrustedProxyList</directive> directive specifies
a file parsed at startup, and builds a list of addresses (or address blocks)
to trust as presenting a valid RemoteIPHeader value of the client IP.</p>
to trust as presenting a valid RemoteIPHeader value of the useragent IP.</p>
<p>The '<code>#</code>' hash character designates a comment line, otherwise
each whitespace or newline seperated entry is processed identically to

4
include/httpd.h
View File

@@ -1053,10 +1053,10 @@ struct conn_rec {
/** local address */
apr_sockaddr_t *local_addr;
/** remote address */
apr_sockaddr_t *peer_addr;
apr_sockaddr_t *client_addr;
/** Client's IP address */
char *peer_ip;
char *client_ip;
/** Client's DNS name, if known. NULL if DNS hasn't been checked,
* "" if it has and no address was found. N.B. Only access this though
* get_remote_host() */

2
modules/cluster/mod_heartmonitor.c
View File

@@ -761,7 +761,7 @@ static int hm_handler(request_rec *r)
buf[len] = '\0';
tbl = apr_table_make(r->pool, 10);
qs_to_table(buf, tbl, r->pool);
apr_sockaddr_ip_get(&ip, r->connection->peer_addr);
apr_sockaddr_ip_get(&ip, r->connection->client_addr);
hmserver.ip = ip;
hmserver.port = 80;
if (apr_table_get(tbl, "port") != NULL)

6
modules/echo/mod_echo.c
View File

@@ -154,7 +154,7 @@ static int process_echo_connection(conn_rec *c)
if (!APR_STATUS_IS_EOF(rv) && ! APR_STATUS_IS_TIMEUP(rv))
ap_log_error(APLOG_MARK, APLOG_INFO, rv, c->base_server, APLOGNO(01611)
"ProtocolEcho: Failure reading from %s",
c->peer_ip);
c->client_ip);
break;
}
@@ -163,7 +163,7 @@ static int process_echo_connection(conn_rec *c)
apr_brigade_cleanup(bb);
ap_log_error(APLOG_MARK, APLOG_INFO, rv, c->base_server, APLOGNO(01612)
"ProtocolEcho: Error - read empty brigade from %s!",
c->peer_ip);
c->client_ip);
break;
}
@@ -181,7 +181,7 @@ static int process_echo_connection(conn_rec *c)
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_INFO, rv, c->base_server, APLOGNO(01613)
"ProtocolEcho: Failure writing to %s",
c->peer_ip);
c->client_ip);
break;
}
apr_brigade_cleanup(bb);

4
modules/experimental/mod_noloris.c
View File

@@ -67,11 +67,11 @@ static int noloris_conn(conn_rec *conn)
/* check the IP is not banned */
shm_rec = apr_shm_baseaddr_get(shm);
while (shm_rec[0] != '\0') {
if (!strcmp(shm_rec, conn->peer_ip)) {
if (!strcmp(shm_rec, conn->client_ip)) {
apr_socket_t *csd = ap_get_conn_socket(conn);
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, APLOGNO(02059)
"Dropping connection from banned IP %s",
conn->peer_ip);
conn->client_ip);
apr_socket_close(csd);
return DONE;

2
modules/loggers/mod_log_config.c
View File

@@ -311,7 +311,7 @@ static const char *log_remote_host(request_rec *r, char *a)
static const char *log_remote_address(request_rec *r, char *a)
{
if (a && !strcmp(a, "c")) {
return r->connection->peer_ip;
return r->connection->client_ip;
}
else {
return r->useragent_ip;

2
modules/lua/lua_request.c
View File

@@ -743,7 +743,7 @@ AP_LUA_DECLARE(void) ap_lua_push_connection(lua_State *L, conn_rec *c)
ap_lua_push_apr_table(L, c->notes);
lua_setfield(L, -2, "notes");
lua_pushstring(L, c->peer_ip);
lua_pushstring(L, c->client_ip);
lua_setfield(L, -2, "remote_ip");
lua_pop(L, 1);

6
modules/metadata/mod_ident.c
View File

@@ -101,14 +101,14 @@ static apr_status_t rfc1413_connect(apr_socket_t **newsock, conn_rec *conn,
return rv;
}
if ((rv = apr_sockaddr_info_get(&destsa, conn->peer_ip,
if ((rv = apr_sockaddr_info_get(&destsa, conn->client_ip,
localsa->family, /* has to match */
RFC1413_PORT, 0, conn->pool)) != APR_SUCCESS) {
/* This should not fail since we have a numeric address string
* as the host. */
ap_log_error(APLOG_MARK, APLOG_CRIT, rv, srv, APLOGNO(01493)
"rfc1413: apr_sockaddr_info_get(%s) failed",
conn->peer_ip);
conn->client_ip);
return rv;
}
@@ -167,7 +167,7 @@ static apr_status_t rfc1413_query(apr_socket_t *sock, conn_rec *conn,
apr_size_t buflen;
sav_our_port = conn->local_addr->port;
sav_rmt_port = conn->peer_addr->port;
sav_rmt_port = conn->client_addr->port;
/* send the data */
buflen = apr_snprintf(buffer, sizeof(buffer), "%hu,%hu\r\n", sav_rmt_port,

12
modules/metadata/mod_remoteip.c
View File

@@ -243,18 +243,18 @@ static int remoteip_modify_request(request_rec *r)
}
remote = apr_pstrdup(r->pool, remote);
temp_sa = c->peer_addr;
temp_sa = c->client_addr;
while (remote) {
/* verify c->peer_addr is trusted if there is a trusted proxy list
/* verify c->client_addr is trusted if there is a trusted proxy list
*/
if (config->proxymatch_ip) {
int i;
remoteip_proxymatch_t *match;
match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
if (apr_ipsubnet_test(match[i].ip, c->peer_addr)) {
if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
internal = match[i].internal;
break;
}
@@ -356,14 +356,14 @@ static int remoteip_modify_request(request_rec *r)
req = (remoteip_req_t *) apr_palloc(r->pool, sizeof(remoteip_req_t));
}
/* Set peer_ip string */
/* Set useragent_ip string */
if (!internal) {
if (proxy_ips) {
proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ",
c->peer_ip, NULL);
c->client_ip, NULL);
}
else {
proxy_ips = c->peer_ip;
proxy_ips = c->client_ip;
}
}

14
modules/proxy/mod_proxy_http.c
View File

@@ -532,7 +532,7 @@ static int stream_reqbody_cl(apr_pool_t *p,
if (bytes_streamed != cl_val) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01087)
"client %s given Content-Length did not match"
" number of body bytes read", r->connection->peer_ip);
" number of body bytes read", r->connection->client_ip);
return HTTP_BAD_REQUEST;
}
@@ -1052,7 +1052,7 @@ int ap_proxy_http_request(apr_pool_t *p, request_rec *r,
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01094)
"client %s (%s) requested Transfer-Encoding "
"chunked body with Content-Length (C-L ignored)",
c->peer_ip, c->remote_host ? c->remote_host: "");
c->client_ip, c->remote_host ? c->remote_host: "");
apr_table_unset(r->headers_in, "Content-Length");
old_cl_val = NULL;
origin->keepalive = AP_CONN_CLOSE;
@@ -1077,7 +1077,7 @@ int ap_proxy_http_request(apr_pool_t *p, request_rec *r,
"prefetch request body failed to %pI (%s)"
" from %s (%s)",
p_conn->addr, p_conn->hostname ? p_conn->hostname: "",
c->peer_ip, c->remote_host ? c->remote_host: "");
c->client_ip, c->remote_host ? c->remote_host: "");
return HTTP_BAD_REQUEST;
}
@@ -1099,7 +1099,7 @@ int ap_proxy_http_request(apr_pool_t *p, request_rec *r,
"processing prefetched request body failed"
" to %pI (%s) from %s (%s)",
p_conn->addr, p_conn->hostname ? p_conn->hostname: "",
c->peer_ip, c->remote_host ? c->remote_host: "");
c->client_ip, c->remote_host ? c->remote_host: "");
return HTTP_INTERNAL_SERVER_ERROR;
}
@@ -1238,7 +1238,7 @@ skip_body:
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01097)
"pass request body failed to %pI (%s) from %s (%s)",
p_conn->addr, p_conn->hostname ? p_conn->hostname: "",
c->peer_ip, c->remote_host ? c->remote_host: "");
c->client_ip, c->remote_host ? c->remote_host: "");
return rv;
}
@@ -1295,8 +1295,8 @@ static request_rec *make_fake_req(conn_rec *c, request_rec *r)
rp->input_filters = c->input_filters;
rp->proto_output_filters = c->output_filters;
rp->proto_input_filters = c->input_filters;
rp->useragent_ip = c->peer_ip;
rp->useragent_addr = c->peer_addr;
rp->useragent_ip = c->client_ip;
rp->useragent_addr = c->client_addr;
rp->request_config = ap_create_request_config(pool);
proxy_run_create_req(r, rp);

10
server/core.c
View File

@@ -829,7 +829,7 @@ static APR_INLINE void do_double_reverse (conn_rec *conn)
rv = apr_sockaddr_info_get(&sa, conn->remote_host, APR_UNSPEC, 0, 0, conn->pool);
if (rv == APR_SUCCESS) {
while (sa) {
if (apr_sockaddr_equal(sa, conn->peer_addr)) {
if (apr_sockaddr_equal(sa, conn->client_addr)) {
conn->double_reverse = 1;
return;
}
@@ -871,7 +871,7 @@ AP_DECLARE(const char *) ap_get_remote_host(conn_rec *conn, void *dir_config,
&& (type == REMOTE_DOUBLE_REV
|| hostname_lookups != HOSTNAME_LOOKUP_OFF)) {
if (apr_getnameinfo(&conn->remote_host, conn->peer_addr, 0)
if (apr_getnameinfo(&conn->remote_host, conn->client_addr, 0)
== APR_SUCCESS) {
ap_str_tolower(conn->remote_host);
@@ -910,7 +910,7 @@ AP_DECLARE(const char *) ap_get_remote_host(conn_rec *conn, void *dir_config,
}
else {
*str_is_ip = 1;
return conn->peer_ip;
return conn->client_ip;
}
}
}
@@ -4497,7 +4497,7 @@ static conn_rec *core_create_conn(apr_pool_t *ptrans, server_rec *server,
}
apr_sockaddr_ip_get(&c->local_ip, c->local_addr);
if ((rv = apr_socket_addr_get(&c->peer_addr, APR_REMOTE, csd))
if ((rv = apr_socket_addr_get(&c->client_addr, APR_REMOTE, csd))
!= APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_INFO, rv, server, APLOGNO(00138)
"apr_socket_addr_get(APR_REMOTE)");
@@ -4505,7 +4505,7 @@ static conn_rec *core_create_conn(apr_pool_t *ptrans, server_rec *server,
return NULL;
}
apr_sockaddr_ip_get(&c->peer_ip, c->peer_addr);
apr_sockaddr_ip_get(&c->client_ip, c->client_addr);
c->base_server = server;
c->id = id;

8
server/log.c
View File

@@ -565,8 +565,8 @@ static int log_remote_address(const ap_errorlog_info *info, const char *arg,
return apr_snprintf(buf, buflen, "%s:%d", info->r->useragent_ip,
info->r->useragent_addr->port);
else if (info->c)
return apr_snprintf(buf, buflen, "%s:%d", info->c->peer_ip,
info->c->peer_addr->port);
return apr_snprintf(buf, buflen, "%s:%d", info->c->client_ip,
info->c->client_addr->port);
else
return 0;
}
@@ -962,7 +962,7 @@ static int do_errorlog_default(const ap_errorlog_info *info, char *buf,
}
/*
* useragent_ip/peer_ip can be client or backend server. If we have
* useragent_ip/client_ip can be client or backend server. If we have
* a scoreboard handle, it is likely a client.
*/
if (info->r) {
@@ -973,7 +973,7 @@ static int do_errorlog_default(const ap_errorlog_info *info, char *buf,
else if (info->c) {
len += apr_snprintf(buf + len, buflen - len,
info->c->sbh ? "[client %s:%d] " : "[remote %s:%d] ",
info->c->peer_ip, info->c->peer_addr->port);
info->c->client_ip, info->c->client_addr->port);
}
/* the actual error message */

4
server/protocol.c
View File

@@ -976,8 +976,8 @@ request_rec *ap_read_request(conn_rec *conn)
*/
r->used_path_info = AP_REQ_DEFAULT_PATH_INFO;
r->useragent_addr = conn->peer_addr;
r->useragent_ip = conn->peer_ip;
r->useragent_addr = conn->client_addr;
r->useragent_ip = conn->client_ip;
tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);

4
server/util_expr_eval.c
View File

@@ -1208,7 +1208,7 @@ static const char *conn_var_fn(ap_expr_eval_ctx_t *ctx, const void *data)
case 1:
#if APR_HAVE_IPV6
{
apr_sockaddr_t *addr = c->peer_addr;
apr_sockaddr_t *addr = c->client_addr;
if (addr->family == AF_INET6
&& !IN6_IS_ADDR_V4MAPPED((struct in6_addr *)addr->ipaddr_ptr))
return "on";
@@ -1221,7 +1221,7 @@ static const char *conn_var_fn(ap_expr_eval_ctx_t *ctx, const void *data)
case 2:
return c->log_id;
case 3:
return c->peer_ip;
return c->client_ip;
default:
ap_assert(0);
return NULL;

2
server/util_script.c
View File

@@ -243,7 +243,7 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
apr_table_addn(e, "SERVER_ADMIN", s->server_admin); /* Apache */
apr_table_addn(e, "SCRIPT_FILENAME", r->filename); /* Apache */
rport = c->peer_addr->port;
rport = c->client_addr->port;
apr_table_addn(e, "REMOTE_PORT", apr_itoa(r->pool, rport));
if (r->user) {