Bug 58089

Summary: mod_authz_host uses proxy IP even when mod_remoteip is enabled
Product: Apache httpd-2 Reporter: payam_hekmat
Component: mod_authz_hostAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.12   
Target Milestone: ---   
Hardware: PC   
OS: FreeBSD   

Description payam_hekmat 2015-07-01 04:06:11 UTC
Using the following configuration behind haproxy with mod_remoteip enabled:

RemoteIPHeader X-Forwarded-For
<Location /server-status>
    SetHandler server-status
    Require host localhost

all proxied requests will be allowed through. Removing 'localhost' from the Require directive closes the hole, but in the same vein other hosts placed in the directive would not allow legitimate clients through. I'm uncertain if this is a bug or desired behavior. 

If the latter, would it be possible to update the docs to further clarify the "Security Note" for mod_authz_host and/or create a feature request for adding the ability to use mod_remoteip and hostname-based authentication (apologies if such discussion would've been better suited to the mailing list)?