You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/12/02 01:21:50 UTC

DO NOT REPLY [Bug 41097] New: - X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server header addition by mod_proxy_http undocumented

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41097>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41097

           Summary: X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-
                    Server header addition by mod_proxy_http undocumented
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: Other
               URL: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: apache@harkless.org


It's not documented that mod_proxy_http (starting in httpd 2.0.15) adds
X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server HTTP headers.  These
are very useful to know about so that if you utilize a reverse proxy you'll know
how to modify the LogFormat on your destination webserver to log actual client
IPs rather than just the IP address of the proxy.  (And so you'll know that with
recent versions of httpd, you don't need to install the third-party
mod_proxy_add_forward module, as much advice online says to do.)

In the documentation it would be good to note that if traffic has an existing
X-Forwarded-For: header, it will be overwritten by the Apache reverse proxy with
its IP, rather than appending its IP to the value of that header as some other
proxies do.

You might even give the configuration code from
http://groups.google.com/group/alt.apache.configuration/msg/6f0ecadabc20623f as
an example of how to always log the client IP in the first field, regardless of
whether the particular connection went through the reverse proxy.  If you do
that, though, you should probably add a note that malicious parties not going
through the reverse proxy could hide their IP addresses from the logs by adding
their own X-Forwarded-For headers, so for security it's better to log *both* the
 value of %h and %{X-Forwarded-For}i.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41097] - X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server header addition by mod_proxy_http undocumented

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41097>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41097


apache@harkless.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.3-HEAD                    |2.2-HEAD




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41097] - X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server header addition by mod_proxy_http undocumented

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41097>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41097


Dave.Sparks@sisyphus.demon.co.uk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Dave.Sparks@sisyphus.demon.c
                   |                            |o.uk




------- Additional Comments From Dave.Sparks@sisyphus.demon.co.uk  2006-12-20 14:15 -------
IME Apache 2.2.0 used as a reverse proxy *does* append to an existing
X-Forwarded-For header.

When I access a private server at work from my home machine, I connect via a
forward proxy (Squid 2.6) on my home machine, an authenticating reverse proxy
(Apache 2.2.0) on the remote firewall, and a reverse proxy (Apache 2.2.0) on the
remote DMZ machine.  The server (running under Tomcat 5.5) has a facility for
reporting the headers in the request it receives, and the X-Forwarded-For:
header contains the private IP address of my home machine (added by Squid), the
public IP address of my home machine (added by the firewall Apache), and the DMZ
IP address of the remote firewall (added by the DMZ Apache).  As I would expect.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41097] - X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server header addition by mod_proxy_http undocumented

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41097>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41097


slive@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From slive@apache.org  2007-07-31 13:10 -------
These headers are now somewhat documented on trunk. Thanks.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org