Tag Archives: apache

Preserving Remote IP/Host while proxying

You host your web application with a hosting provider. Your application log/access IP address of your users and you get or some other private IP. Deja Vu? Most likely reason for the above scenario is your hosting provider is using a proxy and the proxy server sits in the same machine or in the same network. Under a such situation we end up using X-Forwarded-For header.

I am aware of two solutions to be used in such a proxy setup so the developer doesn’t have to end up using X-Forwarded-For header.

1.) When the proxy server is an Apache, using ProxyPreserveHost directive in mod_proxy.
This can be used to preserve the remote host not the remote ip. This is useful for situations where name based virtual hosting is used and the backend server needs to know the virtual name of host.
Open mod_proxy configuration file of your proxy server and enter directive, ProxyPreserveHost On, and restart your apache instance.

2.) When backend server is apache, use mod_rpaf
This apache module can be used to preserve both remote IP/HOST. Internally it uses X-Forwarded-For header to detect a proxy in it’s list of known proxies and reset the headers accordingly. This works with any proxy server in the front end provided that the proxy server sets X-Forwarded-For header. To use mod_rpaf, install and enable it in the backend server and add following directives in the module’s configuration.
RPAFenable On
RPAFsethostname On

Remote IP is automatically preserved when RPAFenable On directive is used. RPAFsethostname On directive should be used to preserve host and RPAFproxy_ips is the list of known proxy ips.

Restart backend apache server and you are good to go.

Git over http(s)

Traditionally git used to work only over ssh or git protocols while there was only a dumb version of git over http which was slow and inefficient. While this was ok for most of the time sometimes git needs to be able to work over http. Now starting from git 1.7 both git servers and clients have support for smart http which works over http(s) and is supposed to be as efficient as the ssh version.

This functionality is made available by a cgi script called git-http-backend provided with git-core. So for git to work over http(s) there should be a web server already configured and as a result there won’t be any conflicts by both the web server and git trying acquire port 80.

The manual for the git-http-backend can be found here.

The following steps can be used to configure git to work over http(s) with Apache.

1) First configure Apache

Make sure mod_cgi, mod_alias, and mod_env are enabled.

Open the Apache config file and append the following. Debian based system should have it under /etc/apache2/apache2.conf by default

SetEnv GIT_PROJECT_ROOT /home/user/git_pub
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/

The GIT_PROJECT_ROOT should point to the root folder where git repositories would be hosted. Set this away from the document root of the web server. What the above do is direct any requests with /git/ to the git-http-backend and tell the script that the root of git repositories is GIT_PROJECT_ROOT.

That is all that needs to be done that is specific to git over http(s). The manual for for the git-http-backend explains these steps pretty thoroughly.

Now for some tit-bits that are not explained in the manual. Those who are experienced with Apache and Git would find the following very boring.

2) For authentication for both read and write accesses append the following to theApache config file

<Location /git>
AuthType Basic
AuthName “Private Git Access”
AuthUserFile /etc/apache2/authusers
Require valid-user

What the above do is make requests to /git only accessible to valid users and tell valid users are listed on the file /etc/apache2/authusers. Make sure the file authusers is accessible by Apache.

If there is no AuthUserFile in your system the following command can be used to create the user list at /etc/apache2/authusers and add the user ‘username’ to it. The command will prompt for a password for the user.

htpasswd -c /etc/apache2/authusers username

3) Restart Apache

On debian most probably, sudo /etc/init.d/apache2 restart

4) Create an empy bare git repository under the specified GIT_PROJECT_ROOT (/home/user/git_pub in our example)


mkdir project

cd project

git init –bare

5) Make the folder ‘project’ and it’s children owned by the user which the web server is run from. This should be done for push requests by clients to work or otherwise the web server won’t be able to merge files. On debian based systems this user is usually www-data and is defined in a file called envvars under apache2 installation.

sudo chown -R www-data project/
sudo chgrp -R www-data project/

Now the bare git repository should be pull-able and pushable by authorized users.

6) Clone the git repository over http(s) from another location

git clone http://username@host/git/project

7) Do the first commit

cd project
touch readme
git add readme
git commit -m “first commit”
git push origin master

It is as easy as that. From here the setuped git repository should work as normal.