[Bug 55962] mod_remoteip should not allow an external proxy to present an internal proxy

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55962

--- Comment #1 from Mike Rumph <mi...@oracle.com> ---
Created attachment 31175
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31175&action=edit
Patch to prevent an external proxy from presenting an internal proxy.

I have attached a patch against mod_remoteip.c in httpd trunk.
This patch will prevent an external proxy from presenting an internal proxy.
The presented internal proxy will be considered external.
This patch documents the case where no RemoteIPInternalProxy or
RemoteIPTrustedProxy directive is configured.
The patch also includes the essential patch from bug 54651.

The patch can be verified with the following setup which are variations from
bug 55635:

This tests some internal-external-internal proxy combinations.

LogFormat "%h %a %{c}a xf=\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b"
forward
CustomLog "logs/access_log" forward

<Location /test>
        Order Deny,Allow
        Deny from all
        Allow from localhost 127.0.0.1 1.1.1.1
</Location>

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.1.2.3
RemoteIPInternalProxy 87.245.198.54
RemoteIPTrustedProxy 87.250.250.203
- $ curl -v -H "X-Forwarded-For: 1.1.1.2, 1.1.1.1, 87.245.198.54,
87.250.250.203" http://10.1.2.3:8080/test/ 
- $ curl -v -H "X-Forwarded-For: 1.1.1.2, 10.1.1.1, 87.245.198.54,
87.250.250.203" http://10.1.2.3:8080/test/

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org