Bug 66678 - Apache2 RemoteIP module should NOT return as valid Remote IP when "RemoteIPHeader X-Forwarded-For" is set
Summary: Apache2 RemoteIP module should NOT return as valid Remote IP when "Re...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_remoteip (show other bugs)
Version: 2.4.52
Hardware: Other Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2023-07-06 01:44 UTC by Sharad Upadhyay
Modified: 2023-07-06 02:03 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Sharad Upadhyay 2023-07-06 01:44:11 UTC
Apache2 Log confirms that RemoteIP module considers as valid client IP for Remote IP address. 

The Apache2 is running behind Google HTTPS Proxy. Apache RemoteIP module is enabled which seems to work fine. Some requests are flagged in PHP code when Remote IP is After investigation it is guessed that for some X-Forwarded-For IP list might have Apache logs prints

LogFormat "%V:%p|%a|%{c}a|%{remoteip-proxy-ip-list}n|%{X-Forwarded-For}i|
%a is
%{c}a is
%{remoteip-proxy-ip-list}n is,,
%{X-Forwarded-For}i remains empty
It can happen only when X-Forwarded-For is set to,,, looks like private address and Remote IP should stop parsing before it and set the remote IP as and not . 
Even if is public address, it should be considered as RemoteIP and not

I have also created post on StackOverFlow https://stackoverflow.com/questions/76622469/apache2-remoteip-module-returns-0-0-0-0-when-remoteipheader-x-forwarded-for-is-s