Forum OpenACS Development: Re: ad_conn peeraddr

Collapse
4: Re: ad_conn peeraddr (response to 3)
Posted by Gustaf Neumann on
We use the code above with SSL via pound (client connects to pound via SSL, pound connects to backend via plain HTTP). Pound uses different backends for different tasks. So, the only complete log file is the one provided by pound, which contains as well the correct IP addresses of the clients.

On the backend side everything using ad_conn reports the client ip address as "ad_conn peeraddr" (e.g. request monitor, creation_ip in acs_objects, etc.). Since all but developer traffic (via VLAN) is routed via the reverse proxy, recording the ip address of the proxy is certainly not useful. I would call it rather a bug, seeing always the proxy's ip address, where the code-writer had obviously the intention to report the client IP address. In the parts of OpenACS we are using, we found no place, where having the proxy as the peer address makes sense.

However, I do agree, that in principle one should have two fields, such as peer_addr and client_addr, and that the usages should be changed from "ad_conn peeraddr" to "ad_conn clientaddr". However, the change above is less invasive, and one has actually always both info at hand: one can use still "ns_conn peeraddr" for the bare-bone info.

Collapse
6: Re: ad_conn peeraddr (response to 4)
Posted by Malte Sussdorff on
Gustaf (or anyone else), how do you handle the fact that you might want to force SSL connections to Pound, yet security::secure_conn_p returns 0 always (as the reverse proxy is using http to communicate to the AOLserver). Is there a trick so I can tell security::secure_conn_p that the original request is actually secure ?
Collapse
7: Re: ad_conn peeraddr (response to 6)
Posted by Gustaf Neumann on
Pound adds multiple X-SSL-* request header fields to the request. The backend can query these and could set security::secure_conn_p (see https://www.apsis.ch/pound.html).
This was not an issue for us, since we only allow SSL connections from the outside world.

guess, with nginx one can get the same behaviour by using proxy_set_header.