mod_remoteip Client IP spoofing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi All,

I'm using Apache 2.4.3 + mod_remoteip.
Apache server is located behind a proxy/LB server.
I want to log client IP address and prevent spoofing.

Test Case:

1. Client(1.1.1.1) send a request with spoofed X-Forwarded-For header.
  X-Forwarded-For: 2.2.2.2
2. Proxy/Load Balancer(10.0.0.1) append the client IP address to
existing X-Forwarded-For header.
  X-Forwarded-For: 2.2.2.2, 1.1.1.1
3. Apache server receive forwarded request.
  (httpd.conf)
    RemoteIPHeader X-Forwarded-For
    RemoteIPTrustedProxy 10.0.0.0/8

I expected that mod_remoteip would override client IP with 1.1.1.1
because 10.0.0.1 is trusted
and 1.1.1.1 is not trusted. Actually, client IP was overridden with 2.2.2.2.

How can I prevent spoofing of client IP address?
I think this may be a bug.
Following patch works fine for me.

Thanks.


Index: modules/metadata/mod_remoteip.c
===================================================================
--- modules/metadata/mod_remoteip.c	(revision 1398763)
+++ modules/metadata/mod_remoteip.c	(working copy)
@@ -254,7 +254,7 @@
             remoteip_proxymatch_t *match;
             match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
             for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
-                if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
+                if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
                     internal = match[i].internal;
                     break;
                 }


-- 
Yoshinori Ehara
yoshinori.ehara@xxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux