| Summary: | mod_authz_host uses proxy IP even when mod_remoteip is enabled | ||
|---|---|---|---|
| Product: | Apache httpd-2 | Reporter: | payam_hekmat |
| Component: | mod_authz_host | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
| Status: | NEW --- | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 2.4.12 | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | FreeBSD | ||
Using the following configuration behind haproxy with mod_remoteip enabled: RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 127.0.0.1 <Location /server-status> SetHandler server-status Require host 127.0.0.1 localhost </Location> all proxied requests will be allowed through. Removing 'localhost' from the Require directive closes the hole, but in the same vein other hosts placed in the directive would not allow legitimate clients through. I'm uncertain if this is a bug or desired behavior. If the latter, would it be possible to update the docs to further clarify the "Security Note" for mod_authz_host and/or create a feature request for adding the ability to use mod_remoteip and hostname-based authentication (apologies if such discussion would've been better suited to the mailing list)?