DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41097>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41097 Summary: X-Forwarded-For, X-Forwarded-Host, and X-Forwarded- Server header addition by mod_proxy_http undocumented Product: Apache httpd-2 Version: 2.3-HEAD Platform: Other URL: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Documentation AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] It's not documented that mod_proxy_http (starting in httpd 2.0.15) adds X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server HTTP headers. These are very useful to know about so that if you utilize a reverse proxy you'll know how to modify the LogFormat on your destination webserver to log actual client IPs rather than just the IP address of the proxy. (And so you'll know that with recent versions of httpd, you don't need to install the third-party mod_proxy_add_forward module, as much advice online says to do.) In the documentation it would be good to note that if traffic has an existing X-Forwarded-For: header, it will be overwritten by the Apache reverse proxy with its IP, rather than appending its IP to the value of that header as some other proxies do. You might even give the configuration code from http://groups.google.com/group/alt.apache.configuration/msg/6f0ecadabc20623f as an example of how to always log the client IP in the first field, regardless of whether the particular connection went through the reverse proxy. If you do that, though, you should probably add a note that malicious parties not going through the reverse proxy could hide their IP addresses from the logs by adding their own X-Forwarded-For headers, so for security it's better to log *both* the value of %h and %{X-Forwarded-For}i. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
