You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/05/13 17:56:13 UTC
[Bug 64433] New: RemoteIPInternalProxy and
RemoteIPProxyProtocolExceptions are missing the opposite
https://bz.apache.org/bugzilla/show_bug.cgi?id=64433
Bug ID: 64433
Summary: RemoteIPInternalProxy and
RemoteIPProxyProtocolExceptions are missing the
opposite
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_remoteip
Assignee: bugs@httpd.apache.org
Reporter: mh+asf-bugzilla@zugschlus.de
Target Milestone: ---
Hi,
mod_remoteip supports two different methods of transmitting the IP of the
"real" client from the Reverse Proxy. First, there is the method of honoring
the X-Forwarded-For http header, and the other is the haproxy Proxy Protocol.
For X-Forwarded-For (XFF), one needs to give apache a list of trusted proxies,
and apache will only honor X-Forwarded-For if the request comes from a trusted
proxy.
For the Proxy Protocol (PP), apache will _REQUIRE_ the Proxy Protocol to be
used for ALL requests and it will not accept requests that don't use the PP. In
exchange, the IP address given in the PP will always be used, relying on other
access control measures to prevent untrusted hosts from sending a wrong client
address.
For two methods offered by the same module, these two approaches are remarkably
opposite to each other. Without knowing the history that the PP code used to be
in its own module and was rolled into mod_remoteip just recently, this is
confusing.
Please consider having both a list of trusted proxies and a list of untrusted,
non-proxy IP addresses, for both methods.
Please do also consider having a possibility to have just a single listened
both for direct accesses from the Internet (without requiring PP) and accepting
PP requests from a proxy. This is a valid use case for a web server in an
IPv6-only setup that gets its IPv6 requests directly from the Internet while
requests form the IPv4-Internet get proxies towards the apache server by means
of, for example, sniproxy.
Thanks for providing great software and for considering my suggestions.
Greetings
Marc
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64433] RemoteIPInternalProxy and
RemoteIPProxyProtocolExceptions are missing the opposite
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64433
Marc 'Zugschlus' Haber <mh...@zugschlus.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mh+asf-bugzilla@zugschlus.d
| |e
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64433] RemoteIPInternalProxy and RemoteIPProxyProtocolExceptions are missing the opposite
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64433
stephen-spamassassin@digitalnexus.org <st...@digitalnexus.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |stephen@digitalnexus.org
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org