Presenting the following discussion from the Apache httpd dev mailing list as a bug report: - http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3C52B3426B.4060203%40oracle.com%3E The remoteip_modify_request() function in mod_remoteip.c processes the value in the RemoteIPHeader header in a while loop from right to left. In the first pass the c->client_ip is taken as the user agent IP. Then the user agent is compared against the trusted proxy list. The elements in the trusted proxy list are of two types (internal or external) from the RemoteIPInternalProxy and RemoteIPTrusted directives. If the user agent matches an element in the proxy list, then it is trusted to present the previous IP address in the RemoteIPHeader header value. The current code allows internal proxies to present external proxies and external proxies to present internal proxies. But an internal proxy presented by an external proxy should be considered external.
Created attachment 31175 [details] Patch to prevent an external proxy from presenting an internal proxy. I have attached a patch against mod_remoteip.c in httpd trunk. This patch will prevent an external proxy from presenting an internal proxy. The presented internal proxy will be considered external. This patch documents the case where no RemoteIPInternalProxy or RemoteIPTrustedProxy directive is configured. The patch also includes the essential patch from bug 54651. The patch can be verified with the following setup which are variations from bug 55635: This tests some internal-external-internal proxy combinations. LogFormat "%h %a %{c}a xf=\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b" forward CustomLog "logs/access_log" forward <Location /test> Order Deny,Allow Deny from all Allow from localhost 127.0.0.1 1.1.1.1 </Location> RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.1.2.3 RemoteIPInternalProxy 87.245.198.54 RemoteIPTrustedProxy 87.250.250.203 - $ curl -v -H "X-Forwarded-For: 1.1.1.2, 1.1.1.1, 87.245.198.54, 87.250.250.203" http://10.1.2.3:8080/test/ - $ curl -v -H "X-Forwarded-For: 1.1.1.2, 10.1.1.1, 87.245.198.54, 87.250.250.203" http://10.1.2.3:8080/test/
Committed to trunk in r1588330.
Proposed for backport
Backported to 2.4.19 in r1730684.
(FYI Mike, if you commit the backport, mark as resolved :) Thanks!