You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/12/04 00:55:55 UTC
[Bug 55637] RemoteIPInternalProxy and RemoteIPInternalProxyList
directives are processed incorrectly
https://issues.apache.org/bugzilla/show_bug.cgi?id=55637
Mike Rumph <mi...@oracle.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Mike Rumph <mi...@oracle.com> ---
Hello Ivan,
It appears to me that your results are as they should be according to the
documentation at the following link:
- http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html
I will try to give an explanation similar to one I gave in comment 3 of related
bug 55635.
The difference from that bug involves the difference between
RemoteIPInternalProxy and RemoteIPTrustedProxy.
Both of these directives identify a proxy that can be trusted to trust the
right-most value in the X-Forwarded-For header as a trusted useragent IP
address.
The difference is that any intranet or private IP address is not trusted as the
useragent IP address for RemoteIPTrustedProxy proxies.
But all IP addresses are trusted for RemoteIPInternalProxy proxies.
Let's walk though your results.
mod_remoteip processes the contents of X-Forwarded-For from right to left in
cycles of a while loop after your RemoteIPInternalProxy and
RemoteIPTrustedProxy proxies are added to a proxy match list.
Cycle 1:
The code begins with X-Forwarded-For equal to "1.1.1.2, 1.1.1.1, 127.0.0.1,
87.250.250.203" and the client IP is equal to "172.20.106.70".
The client IP is compared against the proxy match list.
172.20.106.70 is listed as an internal proxy.
So its view of the X-Forwarded-For list is trusted.
So 87.250.250.203 is interpreted as a valid useragent IP address.
So 87.250.250.203 becomes the client IP and is removed from the X-Forwarded-For
list.
Cycle 2:
X-Forwarded-For is equal to "1.1.1.2, 1.1.1.1, 127.0.0.1" and the client IP is
equal to "87.250.250.203".
87.250.250.203 is listed as a trusted proxy.
So its view of the X-Forwarded-For list is trusted.
But RemoteIPTrustedProxy proxies do not trust private network addresses.
127.0.0.1 is counted as a private network address.
So 127.0.0.1 is not accepted as a valid useragent IP address.
This can be seen in your error log.
So the cycles stop.
Final mod_remoteip result":
X-Forwarded-For is equal to "1.1.1.2, 1.1.1.1, 127.0.0.1" and the client IP is
equal to "87.250.250.203".
And this is the result that you are seeing.
If you change "RemoteIPTrustedProxy 87.250.250.203" to "RemoteIPInternalProxy
87.250.250.203", then you should get the results that you were expecting.
Please, try this and let us know your results.
Take care,
Mike Rumph
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org