[ZendTo] Behind an apache reverse proxy

John Thurston john.thurston at alaska.gov
Fri Jan 25 01:08:58 GMT 2013 

Most of our applications run behind apache 2.2 reverse proxies. When 
working with ZendTo, I've needed to make a couple of modifications to 
make it work for us in this configuration.

A) All of the customers will arrive at the application with the same 
source ip address (that of the proxy server). This same address will 
appear in the email messages as well as the in/outbox listings.

B) As mentioned on this list in February, 2012, the "Home" link on the 
application screen will have the name or address of the application 
server rather than the name or address of the front-end proxy server.

To address (A), I used mod_rpaf as suggested by Rich Hutchinson in 
November, 2012. The catch was, when using the ZendTo Ubuntu VM and 
apt-get to install mod_rpaf, I ran into bug 930540:
> https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-rpaf/+bug/930540
I changing the module name in rpaf.conf to mod_rpaf-2.0.c and got it 
working as expected.

I tested the function of rpaf with the following:
> <?php
> $clientip = $_SERVER['HTTP_CLIENT_IP'];
> $remoteaddr = $_SERVER['REMOTE_ADDR'];
> $xforwardedfor = $_SERVER['HTTP_X_FORWARDED_FOR'];
> $xforwardedhost = $_SERVER['HTTP_X_FORWARDED_HOST'];
> $xforwardedserver = $_SERVER['HTTP_X_FORWARDED_SERVER'];
>
> echo " <li>HTTP_CLIENT_IP:  $clientip</li>\n";
> echo " <li>REMOTE_ADDR:  $remoteaddr</li>\n";
> echo " <li>HTTP_X_FORWARDED_FOR:  $xforwardedfor</li>\n";
> echo " <li>HTTP_X_FORWARDED_HOST: $xforwardedhost</li>\n";
> echo " <li>HTTP_X_FORWARDED_SERVER: $xforwardedserver</li>\n";
> ?>

This was taken from (and added to):
> http://giantdorks.org/alain/easily-get-the-correct-client-ip-with-mod_rpaf/

To address (B), I hacked the default VirtualHost entry on my application 
server's apache. I inserted:

>  ServerName name.of.proxy.server
>  UseCanonicalName on

It's a hack, but it provided most of the function I needed. It causes a 
certificate-name mismatch warning in the apache log, but that warning is 
hidden from the user by the proxy.

The $NSSDROPBOX_URL is still built with $_SERVER['SERVER_NAME'] and the 
HTTPS and PORT settings from the application server rather than the 
settings from the front-end proxy. In my case, they happen to coincide, 
so it works. If your application server is listening on a different port 
than your proxy, this hack will not work.

Question:

I'm normally a Solaris admin, so my linux skills and knowledge is 
limited. All I did was an "apt-get install libapache2-mod-rpaf" How did 
my apt-get choose it's repository, and what could I have done 
differently to get a package containing a functional rpaf.conf ?



-- 
    Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Enterprise Technology Services
Department of Administration
State of Alaska

More information about the ZendTo mailing list