Bug 62377

Summary: Implement Forwarded header (RFC 7239) in mod_remoteip
Product: Apache httpd-2 Reporter: Dan Ramaley <daniel.ramaley>
Component: mod_remoteipAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement CC: dan, jay
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Dan Ramaley 2018-05-15 20:54:26 UTC
Would it be difficult to add support for the standard Forwarded header, as defined by RFC 7239?
Comment 1 William A. Rowe Jr. 2018-05-16 17:29:17 UTC
Patches are welcome.

The largest headache is unwinding Forwarded and X-F-F where they coexist
during any transition between the old and new behavior. This is my analysis
documented in the thread to help anyone get started;

So I was unspooling how we would handle stacked variables.

Any PROXY protocol is the nearest hop; if multiple PROXY protocol header
lines occurred, the closest would be transmitted first, etc.

All local x-remoteip style values would be the next most distant hop; very
similar to the haproxy protocol, it indicates some absolutely trusted edge

Any x-f-f that occurs would reflect all the next most distant hops. Finally,
any 'Forwarded' header (rfc7239) are the most distant hops. I'm basing
that conclusion on the fact that all 'Forwarded'-aware intermediaries which
construct a 'Forwarded' header would not carry the x-f-f, but concatenate
these as closer than the nearest 'Forwarded'-aware hop. So the presence
of an x-f-f header indicates the presence of a 'Forwarded'-unaware agent
between this incoming connection and the closest 'Forwarded'-aware agent.

I'm not suggesting these two enhancements, PROXY and RFC7239 are
intertwined, we can certainly ship them in different releases, but I was
having problems working out X-F-F vs Forwarded until I was working
through the PROXY logic and came to the conclusion above, and am
looking for others to sanity-check my logic on this.