net-www/mod_limitipconn comes with a patch for apache which allows the module to determine which IP address requests come from if they originate from behind a proxy. The patch was originally created for apache 2.0.39 but can still be applied to 2.0.58 (I haven't tried it with 2.2), an updated can patch can be provided if necessary. I'd recommend adding a new local USE flag which adds the patch, enables the --enable-forward configure flag and adds an RDEPEND entry for mod_limitipconn. We are currently trying this out on the forums to prevent DoS attacks and if it proves to be successful then infra would roll it out to other servers.
/sign
Generally we don't accept third-party patches, but if you are willing to maintain the patch and mod_limitipconn, then we will do it, as the patch seems simple enough. I suggest adding the patch to apache as part of a local USE-flag and then testing for the USE-flag in mod_limitipconn to determine if mod_limitipconn should be built with that option as well. Go ahead and make the changes as a -r bump to Apache, for both 2.0 and 2.2. A maintainence guide for Apache is here: http://dev.gentoo.org/~vericgar/doc/apache-maintain.html You will need commit access to the Apache SVN. I'm not sure how to request it, I'm sure someone from infra can help you there.
(In reply to comment #2) > Generally we don't accept third-party patches, but if you are willing to > maintain the patch and mod_limitipconn, then we will do it, as the patch seems I'd be happy to maintain mod_limitipconn and its patch. > simple enough. I suggest adding the patch to apache as part of a local USE-flag > and then testing for the USE-flag in mod_limitipconn to determine if > mod_limitipconn should be built with that option as well. mod_limitipconn adds support for this if Apache is configured with the --enable-forward configure flag (which is provided by the patch) so there's no need for the extra check in the mod_limitipconn ebuild. Does the addition of mod_limitipconn to Apache's RDEPEND make sense if this local USE flag is enabled? (as mod_limitipconn is the only thing that uses it) > > Go ahead and make the changes as a -r bump to Apache, for both 2.0 and 2.2. A > maintainence guide for Apache is here: > http://dev.gentoo.org/~vericgar/doc/apache-maintain.html I'll do that, nice clear doc BTW. > > You will need commit access to the Apache SVN. I'm not sure how to request it, > I'm sure someone from infra can help you there. > Apparently all Gentoo devs have write access to the Apache SVN repo so everything should be set up for me to make these changes. Should I also add myself to the Apache herd?
> Does the addition of mod_limitipconn to Apache's RDEPEND make sense if this > local USE flag is enabled? (as mod_limitipconn is the only thing that uses it) Maybe PDEPEND, but not RDEPEND (apache doesn't depend on mod_limitipconn at runtime), though I've heard there's issues with PDEPEND as well (but I don't know the details there) > I'll do that, nice clear doc BTW. Thanks! > Apparently all Gentoo devs have write access to the Apache SVN repo so > everything should be set up for me to make these changes. Should I also add > myself to the Apache herd? Thats good to know about the SVN. You should add yourself to the herd and bug alias (apache-bugs@g.o) so that you'll get bugmail for the package. You'll probably want to set up filters in your e-mail client, there's a lot of bugmail on that alias. You can also add yourself to our really out of date project page if you wish as well.
This is really old and sounds similar to an issue I was trying to solve a little while ago... maybe bug #200895 could help?
seems like mod_extract_forwarded does the job
