Getting the Client IP in an IBM Domino Web App Behind an Apache Reverse Proxy
Martin Leyrer October 29 2014 20:17:52
Running a Domino based web application behind a reverse proxy (as I am doing for quite some time now) is the latest craze (due to the SSL issues in the current Domino SSL stack). Sean Cull has instructions for configuring Apache, Jesse Gallagher for ngix.
There is one issue unsolved though in Seans configuration w(that Jesse solved for ngix). The field "Remote_Addr" in the web application will, due to Apache acting as a reverse proxy, not contain the IP of the client calling the app any more. Which can be an issue, if you need that information in your app. The Domino Blog for example can't block clients based on their IP any more.
The solution for that is to set the parameter "HTTPEnableConnectorHeaders=1" either in the notes.ini or a configuration document. With that, Domino maps the following additional headers to the corresponding, regular fields:
Restriction: If you enable this, it is assumed you know what you’re doing, and how to protect direct access to the port at which the embedded http is listening.
Note: If you set the LogLevel to TRACE in the plugin XML config file, it is possible to see what headers are actually added for a given request. Appendix C. Domino 6 HTTP plug-in hints and tips 659
So in our case, "$WSRA" would get mapped to the Domino field "Remote_Addr", thereby "fixing" our problem of the missing client IP:
But what have we got to do in order to set that additional Header in the proxy request from Apache to Domino? The following magic incantation in the correct httpd.conf does the trick:
SetEnvIf REMOTE_ADDR (.*) temp_remote_addr=$1
RequestHeader set "$WSRA" "%{temp_remote_addr}e"
(you need, of course, to enable mod_headers and mod_setenvif )
This maps the REMOTE_ADDR, containing the clients IP address, to the environment variable "temp_remote_addr", which we then can use to set the $WSRA header in the proxy request. Rinse and repeat for other variables you need.
Simple, isn't it?
Comments [0]
No Comments Found