Module mod_extract_forwarded for Apache 2.0.x

(based on mod_extract_forwarded by Adrian Hosey alh@warhound.org )

Download version 0.1: mod_extract_forwarded2 v 0.1
If you have some question or feedback: feel free to mail me.

This module is contained in the mod_extract_forwarded.c file. It transparently modifies a connection so that it looks like it came from the IP behind a proxy server rather than the proxy itself.

You should really read the README file to understand the access control implications of using this module.


AllowForwarderCaching directive

Syntax: AllowForwarderCaching boolean
Context: server config, virtual host, directory, .htaccess
Override: Options
Status: Contrib
Module: mod_extract_forwarded

AllowForwarderCaching determines if any caches along the request path are allowed to cache this response. On means any and all caches along the request path may cache this. Off means no caches along the request path may cache this. The default if this directive is not specified is On.

Example:

AllowForwarderCaching On
<Location /sensitive>
AllowForwarderCaching Off
</Location>

This allows caching for the entire site, except for objects inside the /sensitive location.


AddAcceptForwarder directive

Syntax: AddAcceptForwarder host
Context: server config, virtual host, directory, .htaccess
Override: Options
Status: Contrib
Module: mod_extract_forwarded

AddAcceptForwarder adds host to the list of proxy hosts from which we will honor the X-Forwarded-For header and subsitute in the forwarded IP. The default if this directive is not set is to not honor X-Forwarded-For from any proxies. Note that this is cumulative inside container directives, adding to the accept list without destroying anything already in it. Host is one of the following:

all
X-Forwarded-For is processed for all proxy hosts
A full IP address
An IP address of a proxy host
A hostname
This must be a complete hostname (i.e. not a partial domain-name) subject to the domain search path where the server is running. So if the server is running on www.systhug.com and systhug.com is in the search path, we can use AddAcceptForwarder proxyfoo and that will be looked up as proxyfoo.systhug.com

Example:

AddAcceptForwarder proxy1.systhug.com

<Directory /home/httpd/html/all_public>
AddAcceptForwarder proxy2.systhug.com
</Directory>

This accepts X-Forwarded-For from proxy1 for the entire site, and additionally accepts from proxy2 for objects in the all_public directory.


RemoveAcceptForwarder directive

Syntax: RemoveAcceptForwarder host
Context: server config, virtual host, directory, .htaccess
Override: Options
Status: Contrib
Module: mod_extract_forwarded

RemoveAcceptForwarder removes host from the list of proxy hosts from which we will honor the X-Forwarded-For header. The default if this directive is not set is to not honor X-Forwarded-For from any proxies. Note that this is cumulative inside container directives, removing host from the accept list but no others which are already in it. If host is not in the accept list the directive has no effect. Host is one of the following:

all
X-Forwarded-For is ignored for all proxy hosts
A full IP address
An IP address of a proxy host
A hostname
This must be a complete hostname (i.e. not a partial domain-name) subject to the domain search path where the server is running. So if the server is running on www.systhug.com and systhug.com is in the search path, we can use RemoveAcceptForwarder proxyfoo and that will be looked up as proxyfoo.systhug.com

Example:

AddAcceptForwarder proxy1.systhug.com
AddAcceptForwarder proxy2.systhug.com

<Directory /home/httpd/html/dont_trust_proxy2>
AddAcceptForwarder proxy3.systhug.com
RemoveAcceptForwarder proxy2.systhug.com
</Directory>

This accepts X-Forwarded-For from proxy1 and proxy2 for the entire site, except inside the dont_trust_proxy2 directory. In there, it accepts from proxy1 and proxy3 but not proxy2.