mod_proxyand client IP addresses

mod_proxyand client IP addresses

am 06.04.2004 15:34:24 von Marco Muishout

Hi,

We have an international INTRANET web+appserver setup with local clients, local
proxy caches and a central web application server.

* We use the proxy caches on loca lsites to serve static data to local clients,
to relieve WAN link bandwidth and latency issues.

The central app server does only communications coming from the caching proxy
server - the actual client addresses are invisible.

OUR PROBLEM IS that one specific action requires local clients to contact the
central server directly. Because all but this specific communication runs
through the proxy server, this client action is denied by the central appserver
because it does not acknowledge the client IP address (the appserver only talks
to the proxy). Action fails.

I can only think of one way to solve this:
Make the caching fully transparent to the central server - in this case, the
central server thinks it is talking directly to the client. But - proxy traffic
hides all client IP information.

If I would accomplish fooling the central server thinking it is talking to the
client directly (I would be IP spoofing I guess, using mod_ip_forwarding?)
would my client accept responses from the central server while the original
request went to the proxy server? Would my client TCP stack accept that?

Any info is highly appreciated. Customizing the webapp is highly undesireable :-
(

Re: mod_proxy and client IP addresses

am 06.04.2004 16:11:12 von Daniel Lopez

> OUR PROBLEM IS that one specific action requires local clients to contact the
> central server directly. Because all but this specific communication runs
> through the proxy server, this client action is denied by the central appserver
> because it does not acknowledge the client IP address (the appserver only talks
> to the proxy). Action fails.
[snip]

> If I would accomplish fooling the central server thinking it is talking to the
> client directly (I would be IP spoofing I guess, using mod_ip_forwarding?)
> would my client accept responses from the central server while the original
> request went to the proxy server? Would my client TCP stack accept that?

You can do this at the HTTP level. The proxy is transmitting the client IP
in its headers, you just need to fool the central server into thinking the
request is coming from a differnet IP. This module does just that :
http://stderr.net/apache/rpaf/

It replaces the proxy IP address with the client IP address in the appropriate
places duing the internal Apache request processing

Best regards

Daniel

--
Teach Yourself Apache 2 -- http://apacheworld.org/ty24/