how to bind mod_proxy to a specific ip address?

Hi,
following is my virtualhost configuration:

Listen 192.168.0.2:80
NameVirtualHost 192.168.0.2:80

ServerName abc.mydomain.org
ProxyPass / http://def.mydomain.org/
ProxyPassReverse / http://def.mydomain.org/


and the main ip address of my interface is 192.168.0.1 (eth0), and
192.168.0.2 is only an alias to the same interface (eth0:0), .
everything is fine, 192.168.0.2 listen to port 80, and the request to
this ip address with host header abc.mydomain.org will be proxied to
def.mydomain.org. The only problem is that def.mydomain.org get
http request from ip address 192.168.0.1 , and not from 192.168.0.2.
So, how can I tell apache to use 192.168.0.2 instead of 192.168.0.1
if it makes http request to def.mydomain.org ?

thanks for any help,
cahya.

Re: how to bind mod_proxy to a specific ip address?

Cahya Wirawan wrote:

> following is my virtualhost configuration:
>
> Listen 192.168.0.2:80
> NameVirtualHost 192.168.0.2:80
>
> ServerName abc.mydomain.org
> ProxyPass / http://def.mydomain.org/
> ProxyPassReverse / http://def.mydomain.org/
>
>
> and the main ip address of my interface is 192.168.0.1 (eth0), and
> 192.168.0.2 is only an alias to the same interface (eth0:0), .
> everything is fine, 192.168.0.2 listen to port 80, and the request to
> this ip address with host header abc.mydomain.org will be proxied to
> def.mydomain.org. The only problem is that def.mydomain.org get
> http request from ip address 192.168.0.1 , and not from 192.168.0.2.
> So, how can I tell apache to use 192.168.0.2 instead of 192.168.0.1
> if it makes http request to def.mydomain.org ?

This isn't a proxy specific issue, as a result you'll probably get a
better response if you ask this question on the dev@httpd.apache.org
mailing list.

I am not aware that this is possible - you would need a mechanism to
specify the source address, and this is an OS specific thing to my
knowledge. If you ask on the dev list, you'll probably get a better
explanation.

Regards,
Graham
--

Re: how to bind mod_proxy to a specific ip address?

Its could be a gateway issue, in your routing table "netstat -r"
try a "traceroute def.mydomain.org"
you may want to add a direct path for your ip of 192.168.0.2 to
def.mydomain.org






----- Original Message -----
From: "Cahya Wirawan"
To:
Sent: Tuesday, November 11, 2003 4:04 PM
Subject: how to bind mod_proxy to a specific ip address?


> Hi,
> following is my virtualhost configuration:
>
> Listen 192.168.0.2:80
> NameVirtualHost 192.168.0.2:80
>
> ServerName abc.mydomain.org
> ProxyPass / http://def.mydomain.org/
> ProxyPassReverse / http://def.mydomain.org/
>
>
> and the main ip address of my interface is 192.168.0.1 (eth0), and
> 192.168.0.2 is only an alias to the same interface (eth0:0), .
> everything is fine, 192.168.0.2 listen to port 80, and the request to
> this ip address with host header abc.mydomain.org will be proxied to
> def.mydomain.org. The only problem is that def.mydomain.org get
> http request from ip address 192.168.0.1 , and not from 192.168.0.2.
> So, how can I tell apache to use 192.168.0.2 instead of 192.168.0.1
> if it makes http request to def.mydomain.org ?
>
> thanks for any help,
> cahya.
>

Re: how to bind mod_proxy to a specific ip address?

Sorry for disagreeing, but of course it is a proxy specific issue; As
far as I know, no other module connects to another server (ignoring
mod_rewrite which uses mod_proxy for this purpose).

And as the original sender hinted by the "Subject" header, it is easy
to implement: just "bind()" the required IP into the socket before
calling "apr_connect()" (it may require a minor fix in APR, I'm not
sure).

Port number should be left 0, to let the kernel choose its own
ephemeral port.

I believe that we should give more attention to this question. In my
first look, it is easy to add directives ("ProxyIP"/"ProxyHost"?) and
code to implement it ("bind()"), and it looks useful for some needs.

Even without the additional directive, when the original request
reached to a specific vhost, it would make sense to bind the outgoing
socket to the IP of that vhost (as the original sender wished).

Graham Leggett wrote:
>
> Cahya Wirawan wrote:
>
> > following is my virtualhost configuration:
> >
> > Listen 192.168.0.2:80
> > NameVirtualHost 192.168.0.2:80
> >
> > ServerName abc.mydomain.org
> > ProxyPass / http://def.mydomain.org/
> > ProxyPassReverse / http://def.mydomain.org/
> >
> >
> > and the main ip address of my interface is 192.168.0.1 (eth0), and
> > 192.168.0.2 is only an alias to the same interface (eth0:0), .
> > everything is fine, 192.168.0.2 listen to port 80, and the request to
> > this ip address with host header abc.mydomain.org will be proxied to
> > def.mydomain.org. The only problem is that def.mydomain.org get
> > http request from ip address 192.168.0.1 , and not from 192.168.0.2.
> > So, how can I tell apache to use 192.168.0.2 instead of 192.168.0.1
> > if it makes http request to def.mydomain.org ?
>
> This isn't a proxy specific issue, as a result you'll probably get a
> better response if you ask this question on the dev@httpd.apache.org
> mailing list.
>
> I am not aware that this is possible - you would need a mechanism to
> specify the source address, and this is an OS specific thing to my
> knowledge. If you ask on the dev list, you'll probably get a better
> explanation.

--
Eli Marmor
marmor@netmask.it
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel

Re: how to bind mod_proxy to a specific ip address?

I wrote:

> ...
> And as the original sender hinted by the "Subject" header, it is easy
> to implement: just "bind()" the required IP into the socket before
> calling "apr_connect()" (it may require a minor fix in APR, I'm not
> sure).

After looking at srclib/apr/network_io/unix/sockets.c and
srclib/apr/network_io/win32/sockets.c, I believe that the feature
request is doable, and doesn't require any change in APR, but only in
files belong to modules/proxy.

--
Eli Marmor
marmor@netmask.it
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel

Re: how to bind mod_proxy to a specific ip address?

On Tue, Nov 11, 2003 at 03:29:32PM +0200, Eli Marmor wrote:
> Sorry for disagreeing, but of course it is a proxy specific issue; As
> far as I know, no other module connects to another server (ignoring
> mod_rewrite which uses mod_proxy for this purpose).
>
> And as the original sender hinted by the "Subject" header, it is easy
> to implement: just "bind()" the required IP into the socket before
> calling "apr_connect()" (it may require a minor fix in APR, I'm not
> sure).
>
> Port number should be left 0, to let the kernel choose its own
> ephemeral port.
>
> I believe that we should give more attention to this question. In my
> first look, it is easy to add directives ("ProxyIP"/"ProxyHost"?) and
> code to implement it ("bind()"), and it looks useful for some needs.
>
> Even without the additional directive, when the original request
> reached to a specific vhost, it would make sense to bind the outgoing
> socket to the IP of that vhost (as the original sender wished).
>

Thanks,
such feature would help me alot and very useful also for some others.
My problem is here I want to replace a reverse proxy server with another
server, everything is already setup since years (firewall rules, rules in the
backend web server..). It is easy to take over the destination ip address of
the reverse proxy from the old one to the new one, I just need to make
alias with ifconfig and put this ipaddress in the apache configuration.
But if the mod_proxy use another ip address to connect to the backend
server, we have also to do something with firewall rule and also we have
to care about the access control list in every backend servers, and if I am not
carefull enough, it will break the security just because the reverse proxy
has different ip address to connect to the backend server.

So, if it is possible to bind mod_proxy to a specific ip address or at least
the same ip address as defined in the virtual host, the transition to the
new server will be much more easier.

thanks again,
cahya.

Re: how to bind mod_proxy to a specific ip address?

And actually Squid has this possibility to specify the source
ip address from where it connect to external web server. Also
it is not really OS specific question.

cahya.

Re: how to bind mod_proxy to a specific ip address?

At 07:29 AM 11/11/2003, Eli Marmor wrote:
>Sorry for disagreeing, but of course it is a proxy specific issue; As
>far as I know, no other module connects to another server (ignoring
>mod_rewrite which uses mod_proxy for this purpose).
>
>And as the original sender hinted by the "Subject" header, it is easy
>to implement: just "bind()" the required IP into the socket before
>calling "apr_connect()" (it may require a minor fix in APR, I'm not
>sure).
>
>Port number should be left 0, to let the kernel choose its own
>ephemeral port.

This will work just fine. An option to go out another adapter would be
very cool (specific IP address.) An option to constrain the ports might
also be useful (for firewall traversal issues). But no changes are required
in apr - I solved a similar problem 3 weeks ago.

apr_bind() is the answer. Bind to what, exactly, that is the question :)

Bill

Re: how to bind mod_proxy to a specific ip address?

Cahya Wirawan wrote:

> And actually Squid has this possibility to specify the source
> ip address from where it connect to external web server. Also
> it is not really OS specific question.

True, but this isn't a proxy specific question either - thus the advice
to try the main Apache dev list dev@httpd.apache.org. Either Apache can
do it already, or it might be shown that Apache needs to be able to do it.

Regards,
Graham
--

Re: how to bind mod_proxy to a specific ip address?

Eli Marmor wrote:

> Sorry for disagreeing, but of course it is a proxy specific issue; As
> far as I know, no other module connects to another server (ignoring
> mod_rewrite which uses mod_proxy for this purpose).

Ok, I was under the impression for some reason the reference was to the
frontside connection not the backside connection - my bad, sorry.

Regards,
Graham
--

Re: how to bind mod_proxy to a specific ip address?

Graham Leggett wrote:
>
> Eli Marmor wrote:
>
> > Sorry for disagreeing, but of course it is a proxy specific issue; As
> > far as I know, no other module connects to another server (ignoring
> > mod_rewrite which uses mod_proxy for this purpose).
>
> Ok, I was under the impression for some reason the reference was to the
> frontside connection not the backside connection - my bad, sorry.

Now it makes sense.
And I thought, for a minute, that the proxy guru is wrong.
So I even checked myself twice before sending the response.
Because it looked impossible for me that Graham was wrong.
So finally both of our answers were right, though not for the same
question... ;-)

And - Graham - after all the things you've done to mod_proxy, you really
don't have to apologize; We all owe you a lot!

--
Eli Marmor
marmor@netmask.it
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel

Re: how to bind mod_proxy to a specific ip address?

On Tue, Nov 11, 2003 at 03:38:31PM +0200, Eli Marmor wrote:
> I wrote:
>
> > ...
> > And as the original sender hinted by the "Subject" header, it is easy
> > to implement: just "bind()" the required IP into the socket before
> > calling "apr_connect()" (it may require a minor fix in APR, I'm not
> > sure).
>
> After looking at srclib/apr/network_io/unix/sockets.c and
> srclib/apr/network_io/win32/sockets.c, I believe that the feature
> request is doable, and doesn't require any change in APR, but only in
> files belong to modules/proxy.
>

Hi,
Because I want to try this feature in next days, I tried to change
the mod_proxy myself. but since I have no experience with mod_proxy
programming at all, I would like you to correct my change or tell
me if the change can have a bad side effect. my change will bind
mod_proxy to the ip address defined in VirtualHost, and it works
here at least.
The change is only in the proxy_util.c , here is the patch:
____________________________________________
diff -Naur httpd-2.0.48/modules/proxy/proxy_util.c httpd-2.0.48-new/modules/proxy/proxy_util.c
--- httpd-2.0.48/modules/proxy/proxy_util.c 2003-11-12 18:20:06.000000000 +0100
+++ httpd-2.0.48-new/modules/proxy/proxy_util.c 2003-11-13 21:08:31.000000000 +0100
@@ -1162,6 +1162,8 @@
apr_pool_t *p)
{
apr_status_t rv;
+ apr_status_t err;
+ apr_sockaddr_t *vhost_addr;
int connected = 0;
int loglevel;

@@ -1181,6 +1183,10 @@
backend_addr = backend_addr->next;
continue;
}
+
+ err = apr_sockaddr_info_get(&vhost_addr, s->addrs->virthost,
+ APR_UNSPEC, 0, 0, p);
+ apr_socket_bind(*newsock, vhost_addr);

#if !defined(TPF) && !defined(BEOS)
if (conf->recv_buffer_size > 0 &&
_____________________________________________


Thanks,
cahya

Re: how to bind mod_proxy to a specific ip address?

On 14/11/2003, at 7:38 AM, Cahya Wirawan wrote:

> On Tue, Nov 11, 2003 at 03:38:31PM +0200, Eli Marmor wrote:
>> I wrote:
>>
>>> ...
>>> And as the original sender hinted by the "Subject" header, it is easy
>>> to implement: just "bind()" the required IP into the socket before
>>> calling "apr_connect()" (it may require a minor fix in APR, I'm not
>>> sure).
>>
>> After looking at srclib/apr/network_io/unix/sockets.c and
>> srclib/apr/network_io/win32/sockets.c, I believe that the feature
>> request is doable, and doesn't require any change in APR, but only in
>> files belong to modules/proxy.
>>
>
> Hi,
> Because I want to try this feature in next days, I tried to change
> the mod_proxy myself. but since I have no experience with mod_proxy
> programming at all, I would like you to correct my change or tell
> me if the change can have a bad side effect. my change will bind
> mod_proxy to the ip address defined in VirtualHost, and it works
> here at least.
> The change is only in the proxy_util.c , here is the patch:
> ____________________________________________
> diff -Naur httpd-2.0.48/modules/proxy/proxy_util.c
> httpd-2.0.48-new/modules/proxy/proxy_util.c
> --- httpd-2.0.48/modules/proxy/proxy_util.c 2003-11-12
> 18:20:06.000000000 +0100
> +++ httpd-2.0.48-new/modules/proxy/proxy_util.c 2003-11-13
> 21:08:31.000000000 +0100
> @@ -1162,6 +1162,8 @@
> apr_pool_t *p)
> {
> apr_status_t rv;
> + apr_status_t err;
> + apr_sockaddr_t *vhost_addr;
> int connected = 0;
> int loglevel;
>
> @@ -1181,6 +1183,10 @@
> backend_addr = backend_addr->next;
> continue;
> }
> +
> + err = apr_sockaddr_info_get(&vhost_addr, s->addrs->virthost,
> + APR_UNSPEC, 0, 0, p);
> + apr_socket_bind(*newsock, vhost_addr);
>

two points.
where are you specifying *which* ip you want to bind to.
are you relying on the request coming in on the same ip# your request
should be going out on?

'err' isn't required, just use 'rv', and CHECK the result code it
returns.. (and put a errorlog line if it fails)
you'll thank me in 2 months when something wierd happens ;-)

> #if !defined(TPF) && !defined(BEOS)
> if (conf->recv_buffer_size > 0 &&
> _____________________________________________
>
>
> Thanks,
> cahya
>
>
--
Ian Holsman
Director
Network Management Systems
CNET Networks
PH: (61) 3-9857-3742 (Australia)/ 415-344-2608 (USA)

Re: how to bind mod_proxy to a specific ip address?

Ian Holsman wrote:
>
> On 14/11/2003, at 7:38 AM, Cahya Wirawan wrote:
>
> > On Tue, Nov 11, 2003 at 03:38:31PM +0200, Eli Marmor wrote:
> >> I wrote:
> >>
> >>> ...
> >
>
> two points.
> where are you specifying *which* ip you want to bind to.
> are you relying on the request coming in on the same ip# your request
> should be going out on?

After his patch is working, the next step is to define a directive to
control this behavior.

This directive will define the IP (or hostname), and will have 2
special keywords, one for the default IP of the machine (i.e. "don't
bind to anything"), and the second for the IP of the current vhost
(i.e. what his patch is doing currently).

The only decision that will remain after that, is what to define as the
default value of this directive; If you ask me, I think that the IP of
the vhost should be the default. It makes more sense than the default
IP of the machine.

--
Eli Marmor
marmor@netmask.it
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel

Re: how to bind mod_proxy to a specific ip address?

I wrote:
>
> Ian Holsman wrote:
> >
> > On 14/11/2003, at 7:38 AM, Cahya Wirawan wrote:
> >
> > > On Tue, Nov 11, 2003 at 03:38:31PM +0200, Eli Marmor wrote:
> > >> I wrote:
> > >>
> > >>> ...
> > >
> >
> > two points.
> > where are you specifying *which* ip you want to bind to.
> > are you relying on the request coming in on the same ip# your request
> > should be going out on?
>
> After his patch is working, the next step is to define a directive to
> control this behavior.
>
> This directive will define the IP (or hostname), and will have 2
> special keywords, one for the default IP of the machine (i.e. "don't
> bind to anything"), and the second for the IP of the current vhost
> (i.e. what his patch is doing currently).
>
> The only decision that will remain after that, is what to define as the
> default value of this directive; If you ask me, I think that the IP of
> the vhost should be the default. It makes more sense than the default
> IP of the machine.

I take my words back:

If bind() involves a sys-call, then the current behavior ("don't bind
to anything") should remain the default. Because of performance reasons
of course.

--
Eli Marmor
marmor@netmask.it
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel