proxy with a specific source IP?

All,

I've done quite a bit of reading looking for config options to do what I want
and I haven't found anything. Do any of you know if something like this can be
done, or if I should try to write "hack/patch". If nothing exists, would anyone
find this feature useful? What module would be the best place for this type of
feature?

Given a proxy server with 4 IPs:

A - VirtualHost1
B - VirtualHost2
C - SourceIP1
D - SourceIP2

And two destination servers:

E - Dest1
F - Dest2

And given a proxy config that listens on A and B and proxies to E and F, I would
like the connection to the destination servers (E & F) to be placed from IPs C
and D respectfully. Is that possible?

I guess what I'm looking for is a ProxyPass directive that allows me to specify
the source IP to use when connecting to the remote server.

So perhaps a table of what we desire:

ProxyVirtualHostIP ProxySourceIP DestinationServer
A C E
B D F

Does an option like this exist? Would it be best implemented in mod_proxy or is
there another module that takes care of IP connections with other hosts that
could be used? We would like to use it so that we may source route certain
requests over different firewalls. So think about 3 sites: gold, silver,
bronze. Where all would share one set of RPs, but not the same set of
firewall/router infrastructure. So the routers would do source based routing
and direct the traffic through the proper firewall. I'm sure many of you think
this is as much overkill as I do. :) You know how that goes....

Thanks for your help and help,

Geff

Re: proxy with a specific source IP?

Geff wrote:
> I guess what I'm looking for is a ProxyPass directive that allows me to specify
> the source IP to use when connecting to the remote server.
>
> So perhaps a table of what we desire:
>
> ProxyVirtualHostIP ProxySourceIP DestinationServer
> A C E
> B D F

I guess this can't be done with mod_proxy but you could configure your
routing table like this:

ip route add E dev eth0 src C
ip route add F dev eth0 src D

At least this is how it works on Linux provided that eth0 holds C and D.
Note that this applies to *all* connections to E and F, not only
those originating from Apache.

Hope this helps.

cg.

Re: proxy with a specific source IP?

Quoting Carsten Gaebler :
> Geff wrote:
> > So perhaps a table of what we desire:
> >
> > ProxyVirtualHostIP ProxySourceIP DestinationServer
> > A C E
> > B D F
>
> ip route add E dev eth0 src C
> ip route add F dev eth0 src D
>
> At least this is how it works on Linux provided that eth0 holds C and D.
> Note that this applies to *all* connections to E and F, not only
> those originating from Apache.
>
> Hope this helps.

Wow, yes thanks! Now if only we weren't running solaris. :) That's definitely
an option tho, I really appreciate the feedback.

Geff

Re: proxy with a specific source IP?

On Thu, 29 Apr 2004 at 13:44 -0700, Geff wrote:

> I've done quite a bit of reading looking for config options to do what I want
> and I haven't found anything. Do any of you know if something like this can be
> done, or if I should try to write "hack/patch".

I've just submitted (as 'bug' 29404) a patch I've been using successfully
for a few years now.

There was also a brief discussion on this list back in November, with a
partial patch which changed the proxy source address to be the same as the
enclosing VirtualHost's listen address.

My patch adds a new per-VirtualHost configuration directive
ProxySourceAddress, which takes a single IP address. This needs to be an
existing interface address on the local machine, of course, otherwise the
bind() call will fail. It'll accept any format understood by
apr_sockaddr_info_get(), including a hostname, although that's probably to
be discouraged for performance reasons if nothing else (and it may not do
what you expect if a hostname resolves to more than one IP address!).

> Given a proxy server with 4 IPs:
>
> A - VirtualHost1
> B - VirtualHost2
> C - SourceIP1
> D - SourceIP2
>
> And two destination servers:
>
> E - Dest1
> F - Dest2
>
> And given a proxy config that listens on A and B and proxies to E and F, I would
> like the connection to the destination servers (E & F) to be placed from IPs C
> and D respectfully. Is that possible?

With the patch, your setup could be configured as follows:


ProxySourceAddress C
ProxyPass / http://E/



ProxySourceAddress D
ProxyPass / http://F/



Share+enjoy :)

Richard

Re: proxy with a specific source IP?

Quoting Richard Birkett :
> With the patch, your setup could be configured as follows:
>
>
> ProxySourceAddress C
> ProxyPass / http://E/
>
>
>
> ProxySourceAddress D
> ProxyPass / http://F/
>

All,

Wow, that's great. Any chance of getting that included in the main dist?

Does that patch work in 2.0 and 1.3?

Geff

Re: proxy with a specific source IP?

On Mon, 7 Jun 2004 at 13:41 -0700, Geff wrote:

> Does that patch work in 2.0 and 1.3?

It should apply cleanly to recent checkouts of 2.0 (with a few lines
offset).

The 1.3 version is a little different because some of the ap_* structures
and methods changed between 1.3 and 2.0. I've not maintained it since I
switched to using 2.0 in 2002, so it may be a bit crufty, but I've just
resynced the changes against the 1.3 CVS HEAD and uploaded the diff (same
'bug' in Bugzilla, 29404).

Richard

Re: proxy with a specific source IP?

Quoting Richard Birkett :
> It should apply cleanly to recent checkouts of 2.0 (with a few lines
> offset).

Thanks much. More reason to go to 2.0 :).

Geff