Bug 62377 - Implement Forwarded header (RFC 7239) in mod_remoteip
Summary: Implement Forwarded header (RFC 7239) in mod_remoteip
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_remoteip (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 enhancement with 3 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-15 20:54 UTC by Dan Ramaley
Modified: 2019-06-25 17:10 UTC (History)
2 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Ramaley 2018-05-15 20:54:26 UTC
Would it be difficult to add support for the standard Forwarded header, as defined by RFC 7239?
Comment 1 William A. Rowe Jr. 2018-05-16 17:29:17 UTC
Patches are welcome.

The largest headache is unwinding Forwarded and X-F-F where they coexist
during any transition between the old and new behavior. This is my analysis
documented in the thread to help anyone get started;
https://lists.apache.org/thread.html/9887a4bb16dc09221996ff36e1dc65aa17353f634533c216626c4f7b%40%3Cdev.httpd.apache.org%3E



So I was unspooling how we would handle stacked variables.

Any PROXY protocol is the nearest hop; if multiple PROXY protocol header
lines occurred, the closest would be transmitted first, etc.

All local x-remoteip style values would be the next most distant hop; very
similar to the haproxy protocol, it indicates some absolutely trusted edge
router/balancer.

Any x-f-f that occurs would reflect all the next most distant hops. Finally,
any 'Forwarded' header (rfc7239) are the most distant hops. I'm basing
that conclusion on the fact that all 'Forwarded'-aware intermediaries which
construct a 'Forwarded' header would not carry the x-f-f, but concatenate
these as closer than the nearest 'Forwarded'-aware hop. So the presence
of an x-f-f header indicates the presence of a 'Forwarded'-unaware agent
between this incoming connection and the closest 'Forwarded'-aware agent.

I'm not suggesting these two enhancements, PROXY and RFC7239 are
intertwined, we can certainly ship them in different releases, but I was
having problems working out X-F-F vs Forwarded until I was working
through the PROXY logic and came to the conclusion above, and am
looking for others to sanity-check my logic on this.