Summary: | Proxy IP list is populated with incorrect IP addresses | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Mike Rumph <mike.rumph> |
Component: | mod_remoteip | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | Keywords: | FixedInTrunk, PatchAvailable |
Priority: | P2 | ||
Version: | 2.5-HEAD | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All | ||
Attachments: | Patch to populate the proxy_ips field with correct IP addresses. |
Description
Mike Rumph
2014-01-07 21:09:18 UTC
Created attachment 31180 [details] Patch to populate the proxy_ips field with correct IP addresses. I have attached a patch against mod_remoteip.c in httpd trunk. This patch will populate the proxy_ips field with correct IP addresses. This test gives us a long list to view in the simplest way. The patch can be verified with the following setup which are variations from bug 55635: LogFormat "%h %a %{c}a xf=\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b" forward CustomLog "logs/access_log" forward LogLevel debug mod_remoteip.c:trace1 <Location /test> Order Deny,Allow Deny from all Allow from localhost 127.0.0.1 1.1.1.1 </Location> RemoteIPHeader X-Forwarded-For Do not include any RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy or RemoteIPTrustProxyList. This will cause mod_remoteip to take the default of treating the client IP and all IP addresses in X-Forwarded-For as external trusted proxies. - $ curl -v -H "X-Forwarded-For: 1.1.1.2, 1.1.1.1, 87.245.198.54, 87.250.250.203" http://10.1.2.3:8080/test/ - $ tail logs/access_log my_host 1.1.1.2 10.1.2.3 xf="-" - - [07/Jan/2014:11:03:54 -0800] "GET /test/ HTTP/1.1" 403 207 - $ tail logs/error_log Similar records to the following will be seen in the error log. Before the fix: [Tue Jan 07 11:03:54.053043 2014] [remoteip:trace1] [pid 3456:tid 1108416832] mod_remoteip.c(404): [client 1.1.1.2:59017] Using 1.1.1.2 as client's IP by proxies 10.1.2.3, 10.1.2.3, 10.1.2.3, 10.1.2.3 After the fix: [Tue Jan 07 12:38:22.488850 2014] [remoteip:trace1] [pid 20135:tid 1107126592] mod_remoteip.c(405): [client 1.1.1.2:52291] Using 1.1.1.2 as client's IP by proxies 10.1.2.3, 87.250.250.203, 87.245.198.54, 1.1.1.1 Committed to trunk in r1564475 and proposed for httpd 2.4.x. |