Bug 58089 - mod_authz_host uses proxy IP even when mod_remoteip is enabled
Summary: mod_authz_host uses proxy IP even when mod_remoteip is enabled
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authz_host (show other bugs)
Version: 2.4.12
Hardware: PC FreeBSD
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2015-07-01 04:06 UTC by payam_hekmat
Modified: 2015-07-01 04:06 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description payam_hekmat 2015-07-01 04:06:11 UTC
Using the following configuration behind haproxy with mod_remoteip enabled:

RemoteIPHeader X-Forwarded-For
<Location /server-status>
    SetHandler server-status
    Require host localhost

all proxied requests will be allowed through. Removing 'localhost' from the Require directive closes the hole, but in the same vein other hosts placed in the directive would not allow legitimate clients through. I'm uncertain if this is a bug or desired behavior. 

If the latter, would it be possible to update the docs to further clarify the "Security Note" for mod_authz_host and/or create a feature request for adding the ability to use mod_remoteip and hostname-based authentication (apologies if such discussion would've been better suited to the mailing list)?