Summary: | mod_remoteip seems to remove X-Forwarded-For header in some cases | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Vegar Nilsen <vn> |
Component: | mod_remoteip | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | NEW --- | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 2.4.20 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux |
Description
Vegar Nilsen
2016-06-07 13:08:25 UTC
We're seeing the same thing. We've got NGINX and Varnish in front of Apache and passing the X-Forwarded-For and X-Real-IP Headers. Apache is using the event MPM and passing PHP to FastCGI. All of the headers come through when doing a var_dump on $_SERVER. However when using the X-Forwarded-For or the X-Real-IP headers for RemoteIPHeader, you get the right IP for REMOTE_ADDR but the header disappears. (In reply to KakersUK from comment #1) > We're seeing the same thing. We've got NGINX and Varnish in front of Apache > and passing the X-Forwarded-For and X-Real-IP Headers. Apache is using the > event MPM and passing PHP to FastCGI. > > All of the headers come through when doing a var_dump on $_SERVER. However > when using the X-Forwarded-For or the X-Real-IP headers for RemoteIPHeader, > you get the right IP for REMOTE_ADDR but the header disappears. AFAICT this is intentional in mod_remoteip. Addresses essentially move from XFF to the internal representation of the client address. Entries only remain in if they're not trusted. |