Fixing:

[mamanguy]

1. make it compile for redhat which use apr version that is less then 1.5.0 and doesn’t have the function apr_sockaddr_is_wildcard
2. make the module to not drop packets even if there is no proxy header. So users could access the web directly without proxy_protocolw.

[roadrunner2]

Thank you for your contributions, and apologies for the late reply.

A few things. First of all, there are two completely separate things being mixed into one commit, so at the very least this needs to be split up: one commit addressing the compatibility with apr < 1.5, and one commit making the header optional; also, that second log-level commit should probably be merged with the header-optional commit.

Having said that, I doubt I would accept the header-optional patch at all for security reasons. In fact, the protocol specification explicitly forbids doing that - see http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt, Section 2, 2nd to last paragraph. The way to handle the situation where both direct and indirect access is allowed is to listen on two ports, one configured to expect the proxy-protocol header and which is limited to accepting connections from the load-balancer/gateway/etc, and one which is configured to not expect the proxy-protocol header and which is open to everybody else (or whatever limits you want). E.g. something like the following:

Listen 80
Listen 81

<VirtualHost *:80>
    Include main.inc
</VirtualHost>

<VirtualHost *:81>
    ProxyProtocol On
    <Location />
        Require ip <load-balancer-address>
    </Location>

    Include main.inc
</VirtualHost>

[roadrunner2]

@mamanguy I have now pushed a fix for apr < 1.5 in commit 84d3f3b. It's done a bit differently, and more completely. But thanks for your contribution.

Regarding the option to allow missing proxy header, as I noted above, I don't think this is acceptable from a security standpoint.