ProxyPass dns issues

ProxyPass dns issues

am 10.02.2003 11:45:03 von Federico Mennite

Hi,
while setting up apache as an ssl proxy to some backend servers I
noticed that a reverse lookup is performed for each new connection to
the internal server.

I wondered if it was possible to prevent this but by looking at the
source code of mod_proxy it doesn't seem so.

As a workaround I've added the internal server's ip addresses to /etc/hosts.
IMHO the reverse lookup should be made avoidable from the configuration
file. (Maybe it should be made avoidable completely, unless I'm missing
a possible reason to revese lookup there...)

Regards.

--
Federico Mennite
Lifeware AG

Re: ProxyPass dns issues (more details)

am 12.02.2003 15:10:56 von Federico Mennite

Federico Mennite wrote:
> Hi,
> while setting up apache as an ssl proxy to some backend servers I
> noticed that a reverse lookup is performed for each new connection to
> the internal server.
>
> I wondered if it was possible to prevent this but by looking at the
> source code of mod_proxy it doesn't seem so.
I tested it on apache 1.3.26 on a linux system. It should be the same
for 1.3.27 since, by looking at the cvs, nothing changed in the involved
areas.
Apache 2 behaves in the same way.


Relevant configuration options:

HostnameLookups Off
Listen 192.168.1.1:443

ServerName some.host.com
SSLEngine On
SSLCertificateFile /opt/apache/conf/ssl.crt/my.crt
SSLCertificateKeyFile /opt/apache/conf/ssl.key/my.key
ProxyPass / http://192.168.2.1:80/
ProxyPassReverse / http://192.168.2.1:80/




> As a workaround I've added the internal server's ip addresses to
> /etc/hosts

> IMHO the reverse lookup should be made avoidable from the configuration
> file. (Maybe it should be made avoidable completely, unless I'm missing
> a possible reason to revese lookup there...)
>
> Regards.
>
> --
> Federico Mennite
> Lifeware AG
>

Re: ProxyPass dns issues (patch)

am 14.02.2003 00:52:04 von Federico Mennite

This is a multi-part message in MIME format.
--------------000009040300070806090903
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Federico Mennite wrote:

Ok I've written a small patch that allows no reverse lookups with a new
directive called ReverseLookups.
I don't think it's avtually a clean solution, so isn't supposed to a
definitive patch.
I was wondering if adding a boolean parameter to the ProxyPass directive
would make more sense...

Opinions/suggestions?



--------------000009040300070806090903
Content-Type: text/plain;
name="config_reverse.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="config_reverse.patch"

diff -urN apache_1.3.27/src/modules/proxy/mod_proxy.c apache_1.3.27.ite/src/modules/proxy/mod_proxy.c
--- apache_1.3.27/src/modules/proxy/mod_proxy.c 2002-06-18 02:59:59.000000000 +0200
+++ apache_1.3.27.ite/src/modules/proxy/mod_proxy.c 2003-02-13 23:33:45.000000000 +0100
@@ -434,6 +434,8 @@
ps->domain = NULL;
ps->viaopt = via_off; /* initially backward compatible with 1.3.1 */
ps->viaopt_set = 0; /* 0 means default */
+ ps->reverse_lookups = 1;
+ ps->reverse_lookups_set = 0;
ps->req = 0;
ps->req_set = 0;
ps->recv_buffer_size = 0; /* this default was left unset for some
@@ -482,6 +484,7 @@

ps->domain = (overrides->domain == NULL) ? base->domain : overrides->domain;
ps->viaopt = (overrides->viaopt_set == 0) ? base->viaopt : overrides->viaopt;
+ ps->reverse_lookups = (overrides->reverse_lookups_set == 0) ? base->reverse_lookups : overrides->reverse_lookups;
ps->req = (overrides->req_set == 0) ? base->req : overrides->req;
ps->recv_buffer_size = (overrides->recv_buffer_size_set == 0) ? base->recv_buffer_size : overrides->recv_buffer_size;
ps->io_buffer_size = (overrides->io_buffer_size_set == 0) ? base->io_buffer_size : overrides->io_buffer_size;
@@ -920,6 +923,17 @@
return NULL;
}

+static const char *
+ set_reverse_lookups(cmd_parms *parms, void *dummy, int flag)
+{
+ proxy_server_conf *psf =
+ ap_get_module_config(parms->server->module_config, &proxy_module);
+
+ psf->reverse_lookups = flag;
+ psf->reverse_lookups_set = 1;
+ return NULL;
+}
+
static const handler_rec proxy_handlers[] =
{
{"proxy-server", proxy_handler},
@@ -970,6 +984,8 @@
"Force a http cache completion after this percentage is loaded"},
{"ProxyVia", set_via_opt, NULL, RSRC_CONF, TAKE1,
"Configure Via: proxy header header to one of: on | off | block | full"},
+ {"ReverseLookups", set_reverse_lookups, NULL, RSRC_CONF, FLAG,
+ "On if reverse lookups for remote connections are needed"},
{NULL}
};

diff -urN apache_1.3.27/src/modules/proxy/mod_proxy.h apache_1.3.27.ite/src/modules/proxy/mod_proxy.h
--- apache_1.3.27/src/modules/proxy/mod_proxy.h 2002-04-21 13:35:07.000000000 +0200
+++ apache_1.3.27.ite/src/modules/proxy/mod_proxy.h 2003-02-13 23:26:17.000000000 +0100
@@ -203,6 +203,8 @@
char recv_buffer_size_set;
size_t io_buffer_size;
char io_buffer_size_set;
+ int reverse_lookups;
+ char reverse_lookups_set;
} proxy_server_conf;

struct hdr_entry {
@@ -306,6 +308,7 @@
cache_req *ap_proxy_cache_error(cache_req *r);
int ap_proxyerror(request_rec *r, int statuscode, const char *message);
const char *ap_proxy_host2addr(const char *host, struct hostent *reqhp);
+const char *ap_proxy_host2addr_ext(const char *host, struct hostent *reqhp, int reverse);
int ap_proxy_is_ipaddr(struct dirconn_entry *This, pool *p);
int ap_proxy_is_domainname(struct dirconn_entry *This, pool *p);
int ap_proxy_is_hostname(struct dirconn_entry *This, pool *p);
diff -urN apache_1.3.27/src/modules/proxy/proxy_http.c apache_1.3.27.ite/src/modules/proxy/proxy_http.c
--- apache_1.3.27/src/modules/proxy/proxy_http.c 2002-09-03 09:12:46.000000000 +0200
+++ apache_1.3.27.ite/src/modules/proxy/proxy_http.c 2003-02-13 23:13:18.000000000 +0100
@@ -225,13 +225,13 @@

if (proxyhost != NULL) {
server.sin_port = htons((unsigned short)proxyport);
- err = ap_proxy_host2addr(proxyhost, &server_hp);
+ err = ap_proxy_host2addr_ext(proxyhost, &server_hp, conf->reverse_lookups);
if (err != NULL)
return DECLINED; /* try another */
}
else {
server.sin_port = htons((unsigned short)destport);
- err = ap_proxy_host2addr(desthost, &server_hp);
+ err = ap_proxy_host2addr_ext(desthost, &server_hp, conf->reverse_lookups);
if (err != NULL)
return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR, err);
}
diff -urN apache_1.3.27/src/modules/proxy/proxy_util.c apache_1.3.27.ite/src/modules/proxy/proxy_util.c
--- apache_1.3.27/src/modules/proxy/proxy_util.c 2002-07-22 18:26:03.000000000 +0200
+++ apache_1.3.27.ite/src/modules/proxy/proxy_util.c 2003-02-13 23:22:31.000000000 +0100
@@ -974,14 +974,20 @@
return statuscode;
}

+const char *
+ ap_proxy_host2addr(const char *host, struct hostent * reqhp) {
+
+ return ap_proxy_host2addr_ext(host, reqhp, 1);
+}
+
/*
* This routine returns its own error message
*/
const char *
- ap_proxy_host2addr(const char *host, struct hostent * reqhp)
+ ap_proxy_host2addr_ext(const char *host, struct hostent * reqhp, int reverse)
{
int i;
- struct hostent *hp;
+ struct hostent *hp = NULL;
struct per_thread_data *ptd = get_per_thread_data();

for (i = 0; host[i] != '\0'; i++)
@@ -995,7 +1001,8 @@
}
else {
ptd->ipaddr = ap_inet_addr(host);
- hp = gethostbyaddr((char *)&ptd->ipaddr, sizeof(ptd->ipaddr), AF_INET);
+ if (reverse)
+ hp = gethostbyaddr((char *)&ptd->ipaddr, sizeof(ptd->ipaddr), AF_INET);
if (hp == NULL) {
memset(&ptd->hpbuf, 0, sizeof(ptd->hpbuf));
ptd->hpbuf.h_name = 0;

--------------000009040300070806090903--