3

I'm trying to set up nginx as front-end and apache as back-end on my server. All goes as usual, I've installed libapache2-mod-rpaf. But apache doesn't see real client ip and some .htaccess restrictions based on ip don't work at all, cause apache sees only local ip.

Here is nginx vhost configuration^

server {
    listen 80;
    server_name domain;
    location ~* ^/(admin/|dump/|) {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:8080;
        proxy_redirect http://domain:8080/ /;
    }
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:8080;
        proxy_redirect http://domain:8080/ /;
    }
    location ~* ^.+\.(jpg|swf|flv|ico|txt|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar)$ {
        access_log /var/www/logs/domain.nginx.access.log;
        error_page 404 = @fallback;
        if ( $host ~* ^((.*).domain)$ ) {
            set $proot /var/www/$1;
            break;
        }
        if ( $host = "domain" ) {
            break;
        }

        root /var/www/domain;
    }
    location @fallback {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

And here is apache vhost configuration:

<VirtualHost *:8080>
    ServerName domain
    DocumentRoot /var/www/domain
    DirectoryIndex index.php
    CustomLog /var/www/logs/domain.access.log combined
    ErrorLog /var/www/logs/domain.error.log
    ServerAdmin info@domain
    AddDefaultCharset utf8
    php_admin_value open_basedir "/var/www/mod-tmp:.:/var/www/domain"
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster@domain"
    php_admin_value upload_tmp_dir "/var/www/mod-tmp"
    php_admin_value session.save_path "/var/www/mod-tmp"
    AddType application/x-hwikipd-php .php .php3 .php4 .php5 .phtml
    AddType application/x-hwikipd-php-source .phps
<Directory /var/www/domain>
    Options All
    AllowOverride All
</Directory>
</VirtualHost>

As I can see in nginx log:

xxx.yyy.98.14 - - [28/Jan/2012:02:08:29 +0400] "GET / HTTP/1.0" 403 179 "-" "w3m/0.5.3"

It sees my real ip.

But in apache log it sees only local ip:

127.0.0.1 - - [28/Jan/2012:02:08:29 +0400] "GET / HTTP/1.0" 403 390 "-" "w3m/0.5.3"

rpaf is enabled.

$ cat /etc/apache2/mods-enabled/rpaf.conf 
<IfModule mod_rpaf.c>
    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips 127.0.0.1 ::1
</IfModule>
$ cat /etc/apache2/mods-enabled/rpaf.load 
LoadModule rpaf_module /usr/lib/apache2/modules/mod_rpaf.so
$ ls -l /usr/lib/apache2/modules/mod_rpaf.so
-rw-r--r-- 1 root root 8488 Oct 17 20:47 /usr/lib/apache2/modules/mod_rpaf.so

So, what is wrong?

ps. I have restarted nginx and apache several times after saving this configs, but there are no any changes.

rush
  • 1,961
  • 2
  • 15
  • 22

3 Answers3

12

Change the <IfModule ""> reference from mod_rpaf.c to rpaf_module.

This fixed the issue for me on Debian Squeeze and Ubuntu 12.04.

David Dean
  • 121
  • 1
  • 3
  • This solved it for me. Lots of guides use mod_rpaf and not rpaf_module. Be sure to place it in your vhosts, and not in your apache2.conf as well. – Tuinslak Aug 22 '14 at 23:26
2

That's the correct behavior. Because only your applications (run on Apache) see the real IP. For example, install a sample application such as WordPress and install real-time analytics such as Piwik. Insert the Piwik code in WordPress footer and visit your WordPress site (after logging out). Now the Piwik would show the real IP instead of what is set at RPAFproxy_ips.

BTW, the /etc/apache2/mods-enabled/rpaf.conf file is missing one important directive. It should have RPAFheader. For example, my configuration file look like this...

<IfModule mod_rpaf.c>
    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips 127.0.0.1
    RPAFheader X-Forwarded-For
</IfModule>

You may also use X-Real-IP in place of X-Forwarded-For. In either case, please make sure nginx is configured to send real IP in its header. For example, if you use X-Forwarded-For, then your nginx configuration should contain the following...

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;
Pothi Kalimuthu
  • 5,734
  • 2
  • 24
  • 37
  • hm, I changed rpaf.conf and nginx vshost settings as you said and restarted apache and nginx, but nothing changed. Do I need to do something else? btw, I checked the same settings on another host and everything works well. – rush Jan 28 '12 at 11:12
  • I'm sorry, I shared what I've known. May be someone else might help you further, thanks. – Pothi Kalimuthu Jan 28 '12 at 15:00
  • Okay, instead of RPAFheader X-Forwarded-For, please try RPAFheader X-Real-IP. Thanks. – Pothi Kalimuthu Feb 02 '12 at 05:21
0

mod_rpaf appears to have been depreciated in Debian Jessie, and further development halted. Switch to mod_remoteip, which is a default module in Debian Jessie.

Kirrus
  • 482
  • 2
  • 11