When you are using an inverse proxy, to multiplex several apache and other webservers through the same ip address, all your bad written and bad designed applications will start to log and use the proxy ip address instead of the real one. Your "allow/deny from ip_address" directives will stop working, etc...
There is a very very dirty hack for php applications, using the auto_prepend_file directive in the php ini file, that allows you to swap the proxy ip address with the client one, so some applications such as wordpress can continue logging the real ip address instead of the proxy one.
<?php function xinverse() { if($_SERVER["REMOTE_ADDR"]=="172.26.0.27" && !empty($_SERVER["HTTP_X_FORWARDED_FOR"])) { list($_SERVER["REMOTE_ADDR"])=split(",",$_SERVER["HTTP_X_FORWARDED_FOR"]); } } xinverse(); ?>
The problem is that this very dirty hack does not work with phpbb. Also, you need to do similar hacks for other applications written in other languages like python, perl, etc... And there is no way to use the apache ip based directives.
The solution, a module that unfortunately is not available in debian stable (only in sid and is not usable for stable). The mod_rpaf, checks if the request comes from your controlled remote proxy, and if that is the case it grabs the first ip address from the HTTP_X_FORWARDED_FOR tuple and rewrites REMOTE_ADDR with it.
This module is really really simple to compile, thanks to apxs and now after compiling it in a testing virtual domain (thanks xen) I have installed it in the production virtual domain (here).
Update: allow/deny form does not work with mod_rpaf as I expected, you need to perform those validations in the proxy side.
SetEnvIf X-Forwarded-For ^172\.26\.0\.17 let_me_in Order allow,deny allow from env=let_me_in ErrorDocument 403 /isdown.php
It's dirty, but it works. Be carefull here, we can only do this if we have our trusted proxy in front of the server, if we open the access then anyone will bypass by setting any arbitrary x-forwarded-for header.
Your Thoughts