この前のPlackathonのときにmiyagawaさんやkazeburoさんに教わりながらyappoさんのHTTP::Engine::Middleware::ReverseProxyをPlack用に書き換えてたのがずっとほったらかしになってたので、cpanにうpしました。
以下メモ
mod_proxy_http.cより
/* X-Forwarded-*: handling
*
* XXX Privacy Note:
* -----------------
*
* These request headers are only really useful when the mod_proxy
* is used in a reverse proxy configuration, so that useful info
* about the client can be passed through the reverse proxy and on
* to the backend server, which may require the information to
* function properly.
*
* In a forward proxy situation, these options are a potential
* privacy violation, as information about clients behind the proxy
* are revealed to arbitrary servers out there on the internet.
*
* The HTTP/1.1 Via: header is designed for passing client
* information through proxies to a server, and should be used in
* a forward proxy configuation instead of X-Forwarded-*. See the
* ProxyVia option for details.
*/
if (PROXYREQ_REVERSE == r->proxyreq) {
const char *buf;
/* Add X-Forwarded-For: so that the upstream has a chance to
* determine, where the original request came from.
*/
apr_table_mergen(r->headers_in, "X-Forwarded-For",
c->remote_ip);
/* Add X-Forwarded-Host: so that upstream knows what the
* original request hostname was.
*/
if ((buf = apr_table_get(r->headers_in, "Host"))) {
apr_table_mergen(r->headers_in, "X-Forwarded-Host", buf);
}
/* Add X-Forwarded-Server: so that upstream knows what the
* name of this proxy server is (if there are more than one)
* XXX: This duplicates Via: - do we strictly need it?
*/
apr_table_mergen(r->headers_in, "X-Forwarded-Server",
r->server->server_hostname);
}ってことはやっぱり普通に外側のproxyがつけたX-Forwarded-*に、内側のproxyがコンマでつないで付け足していくんやね。 →ということで、(自分で設置したはずの)一番後ろのものしか信用できないはず。なので、remote-addrは一番後ろのものをつかう。http-hostはクライアントがどういう名前で呼んでるか、なので一番外側の、一番前のものを使う。で問題ないだろうか。→やっぱり、直近のものだけを信用する事にした。ので、多段proxy使う人はこのモジュールを使うんじゃなくて、自分で書きましょう。→ということで、↓ここに出てきます。
http://search.cpan.org/~danjou/Plack-Middleware-ReverseProxy-0.02/