Hi All,
I'm using Apache 2.4.3 + mod_remoteip.
Apache server is located behind a proxy/LB server.
I want to log client IP address and prevent spoofing.
Test Case:
1. Client(1.1.1.1) send a request with spoofed X-Forwarded-For header.
X-Forwarded-For: 2.2.2.2
2. Proxy/Load Balancer(10.0.0.1) append the client IP address to
existing X-Forwarded-For header.
X-Forwarded-For: 2.2.2.2, 1.1.1.1
3. Apache server receive forwarded request.
(httpd.conf)
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 10.0.0.0/8
I expected that mod_remoteip would override client IP with 1.1.1.1
because 10.0.0.1 is trusted
and 1.1.1.1 is not trusted. Actually, client IP was overridden with 2.2.2.2.
How can I prevent spoofing of client IP address?
I think this may be a bug.
Following patch works fine for me.
Thanks.
Index: modules/metadata/mod_remoteip.c
===================================================================
--- modules/metadata/mod_remoteip.c (revision 1398763)
+++ modules/metadata/mod_remoteip.c (working copy)
@@ -254,7 +254,7 @@
remoteip_proxymatch_t *match;
match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
- if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
+ if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
internal = match[i].internal;
break;
}
--
Yoshinori Ehara
yoshinori.ehara@xxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|