Bug 64433

Summary: RemoteIPInternalProxy and RemoteIPProxyProtocolExceptions are missing the opposite
Product: Apache httpd-2 Reporter: Marc 'Zugschlus' Haber <mh+asf-bugzilla>
Component: mod_remoteipAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement CC: mh+asf-bugzilla, stephen
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Marc 'Zugschlus' Haber 2020-05-13 17:56:13 UTC

mod_remoteip supports two different methods of transmitting the IP of the "real" client from the Reverse Proxy. First, there is the method of honoring the X-Forwarded-For http header, and the other is the haproxy Proxy Protocol.

For X-Forwarded-For (XFF), one needs to give apache a list of trusted proxies, and apache will only honor X-Forwarded-For if the request comes from a trusted proxy.

For the Proxy Protocol (PP), apache will _REQUIRE_ the Proxy Protocol to be used for ALL requests and it will not accept requests that don't use the PP. In exchange, the IP address given in the PP will always be used, relying on other access control measures to prevent untrusted hosts from sending a wrong client address.

For two methods offered by the same module, these two approaches are remarkably opposite to each other. Without knowing the history that the PP code used to be in its own module and was rolled into mod_remoteip just recently, this is confusing.

Please consider having both a list of trusted proxies and a list of untrusted, non-proxy IP addresses, for both methods.

Please do also consider having a possibility to have just a single listened both for direct accesses from the Internet (without requiring PP) and accepting PP requests from a proxy. This is a valid use case for a web server in an IPv6-only setup that gets its IPv6 requests directly from the Internet while requests form the IPv4-Internet get proxies towards the apache server by means of, for example, sniproxy. 

Thanks for providing great software and for considering my suggestions.