Bug 67909 - mod_remoteip fails when real IP is internal
Summary: mod_remoteip fails when real IP is internal
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_remoteip (show other bugs)
Version: 2.4.57
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2023-10-23 15:27 UTC by Denis S. Valdenaire
Modified: 2023-10-24 08:07 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Denis S. Valdenaire 2023-10-23 15:27:24 UTC

mod_remoteip fails to replace the IP set in either X-Real-IP header or X-Forwarded-For, saying "Header X-Real-Ip value of appears to be a private IP or nonsensical.  Ignored"

Well, here we are using this feature in a big intranet, and we have reverse-proxies, all of them using private IPs. Those limitations seems weird as we trust the proxy just before our apache, whatever the IP is X-Forwarded-For, it should be trusted, period.

When using a lot of reverse proxies with containers and orchestrators like k8s, at the very least, there should be a option in the module disabling this check;

Maybe there should be something in the module documentation about this, because i just spent sometimes figuring it out.


Denis S. Valdenaire
Comment 1 Eric Covener 2023-10-23 16:05:47 UTC
Do you use https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipinternalproxy for the peer that presents that header?
Comment 2 Denis S. Valdenaire 2023-10-24 08:06:03 UTC
Thanks for your response; 

I use this directive :


This is precisely what I complain about : it was not trusted at all, as log says:

[Tue Oct 24 09:51:53.952335 2023] [remoteip:debug] [pid 26:tid 140171089540800] mod_remoteip.c(679): [client] AH01569: RemoteIP: Header X-Forwarded-For value of appears to be a private IP or nonsensical.  Ignored, referer: https://.../

The proxy presenting the X-Forwarded-For is the [client], if I understand correctly.

Anyway, I tried to put a lot of networks just to be sure, like :


But still got the same error.