Bug 66678 - Apache2 RemoteIP module should NOT return 0.0.0.0 as valid Remote IP when "RemoteIPHeader X-Forwarded-For" is set
Summary: Apache2 RemoteIP module should NOT return 0.0.0.0 as valid Remote IP when "Re...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_remoteip (show other bugs)
Version: 2.4.52
Hardware: Other Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-06 01:44 UTC by Sharad Upadhyay
Modified: 2023-07-06 02:03 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sharad Upadhyay 2023-07-06 01:44:11 UTC 
Apache2 Log confirms that RemoteIP module considers 0.0.0.0 as valid client IP for Remote IP address. 

The Apache2 is running behind Google HTTPS Proxy. Apache RemoteIP module is enabled which seems to work fine. Some requests are flagged in PHP code when Remote IP is 0.0.0.0. After investigation it is guessed that for some X-Forwarded-For IP list might have 0.0.0.0. Apache logs prints

LogFormat "%V:%p|%a|%{c}a|%{remoteip-proxy-ip-list}n|%{X-Forwarded-For}i|
%a is 0.0.0.0
%{c}a is 35.191.14.79
%{remoteip-proxy-ip-list}n is 35.191.14.79, 34.36.172.235, 193.1.150.232
%{X-Forwarded-For}i remains empty
It can happen only when X-Forwarded-For is set to 0.0.0.0, 193.1.150.232, 34.36.172.235, 35.191.14.79

193.1.150.232 looks like private address and Remote IP should stop parsing before it and set the remote IP as 34.36.172.235 and not 0.0.0.0 . 
Even if 193.1.150.232 is public address, it should be considered as RemoteIP and not 0.0.0.0.

I have also created post on StackOverFlow https://stackoverflow.com/questions/76622469/apache2-remoteip-module-returns-0-0-0-0-when-remoteipheader-x-forwarded-for-is-s