In the remoteip_modify_request() function in mod_remoteip.c the wrong IP addresses are used to populate the proxy_ips field. req->useragent_ip should be used instead of c->client_ip.
Created attachment 31180 [details] Patch to populate the proxy_ips field with correct IP addresses. I have attached a patch against mod_remoteip.c in httpd trunk. This patch will populate the proxy_ips field with correct IP addresses. This test gives us a long list to view in the simplest way. The patch can be verified with the following setup which are variations from bug 55635: LogFormat "%h %a %{c}a xf=\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b" forward CustomLog "logs/access_log" forward LogLevel debug mod_remoteip.c:trace1 <Location /test> Order Deny,Allow Deny from all Allow from localhost 127.0.0.1 1.1.1.1 </Location> RemoteIPHeader X-Forwarded-For Do not include any RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy or RemoteIPTrustProxyList. This will cause mod_remoteip to take the default of treating the client IP and all IP addresses in X-Forwarded-For as external trusted proxies. - $ curl -v -H "X-Forwarded-For: 1.1.1.2, 1.1.1.1, 87.245.198.54, 87.250.250.203" http://10.1.2.3:8080/test/ - $ tail logs/access_log my_host 1.1.1.2 10.1.2.3 xf="-" - - [07/Jan/2014:11:03:54 -0800] "GET /test/ HTTP/1.1" 403 207 - $ tail logs/error_log Similar records to the following will be seen in the error log. Before the fix: [Tue Jan 07 11:03:54.053043 2014] [remoteip:trace1] [pid 3456:tid 1108416832] mod_remoteip.c(404): [client 1.1.1.2:59017] Using 1.1.1.2 as client's IP by proxies 10.1.2.3, 10.1.2.3, 10.1.2.3, 10.1.2.3 After the fix: [Tue Jan 07 12:38:22.488850 2014] [remoteip:trace1] [pid 20135:tid 1107126592] mod_remoteip.c(405): [client 1.1.1.2:52291] Using 1.1.1.2 as client's IP by proxies 10.1.2.3, 87.250.250.203, 87.245.198.54, 1.1.1.1
Committed to trunk in r1564475 and proposed for httpd 2.4.x.
Backported to httpd 2.4.8 by r1569003.