Bug 64433 - RemoteIPInternalProxy and RemoteIPProxyProtocolExceptions are missing the opposite
Summary: RemoteIPInternalProxy and RemoteIPProxyProtocolExceptions are missing the opp...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_remoteip (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-13 17:56 UTC by Marc 'Zugschlus' Haber
Modified: 2020-05-13 17:56 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc 'Zugschlus' Haber 2020-05-13 17:56:13 UTC
Hi,

mod_remoteip supports two different methods of transmitting the IP of the "real" client from the Reverse Proxy. First, there is the method of honoring the X-Forwarded-For http header, and the other is the haproxy Proxy Protocol.

For X-Forwarded-For (XFF), one needs to give apache a list of trusted proxies, and apache will only honor X-Forwarded-For if the request comes from a trusted proxy.

For the Proxy Protocol (PP), apache will _REQUIRE_ the Proxy Protocol to be used for ALL requests and it will not accept requests that don't use the PP. In exchange, the IP address given in the PP will always be used, relying on other access control measures to prevent untrusted hosts from sending a wrong client address.

For two methods offered by the same module, these two approaches are remarkably opposite to each other. Without knowing the history that the PP code used to be in its own module and was rolled into mod_remoteip just recently, this is confusing.

Please consider having both a list of trusted proxies and a list of untrusted, non-proxy IP addresses, for both methods.

Please do also consider having a possibility to have just a single listened both for direct accesses from the Internet (without requiring PP) and accepting PP requests from a proxy. This is a valid use case for a web server in an IPv6-only setup that gets its IPv6 requests directly from the Internet while requests form the IPv4-Internet get proxies towards the apache server by means of, for example, sniproxy. 

Thanks for providing great software and for considering my suggestions.

Greetings
Marc