55962 – mod_remoteip should not allow an external proxy to present an internal proxy

Bug 55962 - mod_remoteip should not allow an external proxy to present an internal proxy

Summary: mod_remoteip should not allow an external proxy to present an internal proxy

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_remoteip (show other bugs)
Version:	2.5-HEAD
Hardware:	PC All

Importance:	P2 enhancement (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	FixedInTrunk, PatchAvailable

Depends on:
Blocks:

Reported:	2014-01-06 18:08 UTC by Mike Rumph
Modified:	2016-02-19 18:00 UTC (History)
CC List:	0 users

Attachments
Patch to prevent an external proxy from presenting an internal proxy. (2.12 KB, patch) 2014-01-06 18:31 UTC, Mike Rumph	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mike Rumph 2014-01-06 18:08:13 UTC

Presenting the following discussion from the Apache httpd dev mailing list as a bug report:
- http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3C52B3426B.4060203%40oracle.com%3E

The remoteip_modify_request() function in mod_remoteip.c processes the value in the RemoteIPHeader header in a while loop from right to left.
In the first pass the c->client_ip is taken as the user agent IP.
Then the user agent is compared against the trusted proxy list.
The elements in the trusted proxy list are of two types (internal or external) from the RemoteIPInternalProxy and RemoteIPTrusted directives.
If the user agent matches an element in the proxy list,
then it is trusted to present the previous IP address in the RemoteIPHeader header value.
The current code allows internal proxies to present external proxies and external proxies to present internal proxies.
But an internal proxy presented by an external proxy should be considered external.

Comment 1 Mike Rumph 2014-01-06 18:31:03 UTC

Created attachment 31175 [details]
Patch to prevent an external proxy from presenting an internal proxy.

I have attached a patch against mod_remoteip.c in httpd trunk.
This patch will prevent an external proxy from presenting an internal proxy.
The presented internal proxy will be considered external.
This patch documents the case where no RemoteIPInternalProxy or RemoteIPTrustedProxy directive is configured.
The patch also includes the essential patch from bug 54651.

The patch can be verified with the following setup which are variations from bug 55635:

This tests some internal-external-internal proxy combinations.

LogFormat "%h %a %{c}a xf=\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b" forward
CustomLog "logs/access_log" forward

<Location /test>
        Order Deny,Allow
        Deny from all
        Allow from localhost 127.0.0.1 1.1.1.1
</Location>

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.1.2.3
RemoteIPInternalProxy 87.245.198.54
RemoteIPTrustedProxy 87.250.250.203
- $ curl -v -H "X-Forwarded-For: 1.1.1.2, 1.1.1.1, 87.245.198.54, 87.250.250.203" http://10.1.2.3:8080/test/ 
- $ curl -v -H "X-Forwarded-For: 1.1.1.2, 10.1.1.1, 87.245.198.54, 87.250.250.203" http://10.1.2.3:8080/test/

Comment 2 Mike Rumph 2014-04-17 18:22:09 UTC

Committed to trunk in r1588330.

Comment 3 William A. Rowe Jr. 2016-02-11 17:39:06 UTC

Proposed for backport

Comment 4 Mike Rumph 2016-02-17 00:08:46 UTC

Backported to 2.4.19 in r1730684.

Comment 5 William A. Rowe Jr. 2016-02-19 18:00:02 UTC

(FYI Mike, if you commit the backport, mark as resolved :)  Thanks!