[PATCH] Initialize session.ip early (with mod_websocket)
11 views
Skip to first unread message
Boris Grozev
Jun 2, 2020, 1:51:53 PM6/2/20
to proso...@googlegroups.com
Hello everyone,
We ran into a problem where `session.ip` is not set when the filters
for a new session are initialized.
With BOSH the session object is created in mod_bosh directly and
`session.ip` is set at that stage (before the initialize_fillters
call). With mod_websocket, however, the session is created using
`c2s_listener.onconnect(conn)`. This leads to the session filters
being initialized before session.ip is set from the HTTP headers.
This patch piggybacks the IP address from the HTTP headers as a
property of 'conn', as that was the most straightforward way I found
of doing it. Please let me know if there's a better solution.
Regards,
Boris
We ran into a problem where `session.ip` is not set when the filters
for a new session are initialized.
With BOSH the session object is created in mod_bosh directly and
`session.ip` is set at that stage (before the initialize_fillters
call). With mod_websocket, however, the session is created using
`c2s_listener.onconnect(conn)`. This leads to the session filters
being initialized before session.ip is set from the HTTP headers.
This patch piggybacks the IP address from the HTTP headers as a
property of 'conn', as that was the most straightforward way I found
of doing it. Please let me know if there's a better solution.
Regards,
Boris
Boris Grozev
Jul 30, 2020, 6:18:16 AM7/30/20
to proso...@googlegroups.com
Hello,
Any thoughts about accepting this patch, or suggestions for other ways
to solve the problem?
Regards,
Boris
Any thoughts about accepting this patch, or suggestions for other ways
to solve the problem?
Regards,
Boris
Boris Grozev
Feb 15, 2023, 1:42:09 PM2/15/23
to proso...@googlegroups.com
Hello,
We also ran into this issue with prosody 0.12. Specifically, we have a
custom module for rate limiting[0] which registers as a session filter
and uses session.ip. The code in mod_websocket replaces session.ip
with request.ip, but only after the session filters are applied. As a
result, our module runs with session.ip still set to conn:ip(), which
is the proxy's address and not what we want.
I'm attaching an updated patch for 0.12.
[0] https://github.com/jitsi/infra-configuration/blob/main/ansible/roles/prosody/files/mod_rate_limit.lua
We also ran into this issue with prosody 0.12. Specifically, we have a
custom module for rate limiting[0] which registers as a session filter
and uses session.ip. The code in mod_websocket replaces session.ip
with request.ip, but only after the session filters are applied. As a
result, our module runs with session.ip still set to conn:ip(), which
is the proxy's address and not what we want.
I'm attaching an updated patch for 0.12.
[0] https://github.com/jitsi/infra-configuration/blob/main/ansible/roles/prosody/files/mod_rate_limit.lua
Matthew Wild
Feb 15, 2023, 5:31:24 PM2/15/23
to proso...@googlegroups.com
On Wed, 15 Feb 2023 at 18:42, Boris Grozev <bo...@sip-communicator.org> wrote:
> We also ran into this issue with prosody 0.12. Specifically, we have a
> custom module for rate limiting[0] which registers as a session filter
> and uses session.ip. The code in mod_websocket replaces session.ip
> with request.ip, but only after the session filters are applied. As a
> result, our module runs with session.ip still set to conn:ip(), which
> is the proxy's address and not what we want.
>
> I'm attaching an updated patch for 0.12.
Thanks for the updated patch! A new minor release for 0.12 is
> We also ran into this issue with prosody 0.12. Specifically, we have a
> custom module for rate limiting[0] which registers as a session filter
> and uses session.ip. The code in mod_websocket replaces session.ip
> with request.ip, but only after the session filters are applied. As a
> result, our module runs with session.ip still set to conn:ip(), which
> is the proxy's address and not what we want.
>
> I'm attaching an updated patch for 0.12.
imminent, so I'll try to get it into that if we can.
Regards,
Matthew
Boris Grozev
Feb 15, 2023, 6:19:01 PM2/15/23
to proso...@googlegroups.com
I'm attaching an updated version, the previous has a typo that breaks
it and an unnecessary line.
> --
> You received this message because you are subscribed to the Google Groups "prosody-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/prosody-dev/CAJt9-x7VS9ow4HqMeJc1YKCdx2ZkcWCMS6iM%2BnzNTV1Nb2REWw%40mail.gmail.com.
it and an unnecessary line.
> You received this message because you are subscribed to the Google Groups "prosody-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/prosody-dev/CAJt9-x7VS9ow4HqMeJc1YKCdx2ZkcWCMS6iM%2BnzNTV1Nb2REWw%40mail.gmail.com.
Matthew Wild
Feb 16, 2023, 1:24:17 PM2/16/23
to proso...@googlegroups.com
Hi Boris,
On Wed, 15 Feb 2023 at 23:19, Boris Grozev <bo...@sip-communicator.org> wrote:
> I'm attaching an updated version, the previous has a typo that breaks
> it and an unnecessary line.
Thanks! After reviewing it today, I decided not to merge it. The
changes are a bit more invasive than I'm comfortale with. For example,
util.session should generally be unaware of HTTP as a concept. I
considered introducing the idea of a generic "real IP" (which at its
simplest would be a variable rename in your patch!). However that's
something we might tackle as part of a more generic API for proxied
connections in the future - we have some modules that already handle
haproxy's PROXY protocol, and we would like to make these more neatly
integrated with Prosody's core.
The good news is that I have an alternative solution for your problem.
I committed a trivial new API to net.http.server:
https://hg.prosody.im/0.12/rev/3a6dae39c70e
I've made a PR to the Jitsi module with the changes that I think would
need to be made to take advantage of this API:
https://github.com/jitsi/infra-configuration/pull/55
Hope this helps!
Regards,
Matthew
On Wed, 15 Feb 2023 at 23:19, Boris Grozev <bo...@sip-communicator.org> wrote:
> I'm attaching an updated version, the previous has a typo that breaks
> it and an unnecessary line.
changes are a bit more invasive than I'm comfortale with. For example,
util.session should generally be unaware of HTTP as a concept. I
considered introducing the idea of a generic "real IP" (which at its
simplest would be a variable rename in your patch!). However that's
something we might tackle as part of a more generic API for proxied
connections in the future - we have some modules that already handle
haproxy's PROXY protocol, and we would like to make these more neatly
integrated with Prosody's core.
The good news is that I have an alternative solution for your problem.
I committed a trivial new API to net.http.server:
https://hg.prosody.im/0.12/rev/3a6dae39c70e
I've made a PR to the Jitsi module with the changes that I think would
need to be made to take advantage of this API:
https://github.com/jitsi/infra-configuration/pull/55
Hope this helps!
Regards,
Matthew
Boris Grozev
Feb 16, 2023, 4:08:36 PM2/16/23
to proso...@googlegroups.com
Hi Matthew,
Thank you for looking into it and providing a better solution!
Your patch to our module looks good. We'll get it tested and merged,
and get rid of the prosody patch :)
Regards,
Boris
Thank you for looking into it and providing a better solution!
Your patch to our module looks good. We'll get it tested and merged,
and get rid of the prosody patch :)
Regards,
Boris
> --
> You received this message because you are subscribed to the Google Groups "prosody-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/prosody-dev/CAJt9-x4T%2BU-NpWBj3_X4MO4Vv95QEiNMArwAW%3DUoyUH6ZUKYrQ%40mail.gmail.com.
> You received this message because you are subscribed to the Google Groups "prosody-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages