https://issues.apache.org/bugzilla/show_bug.cgi?id=55635
Mike Rumph <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO --- Comment #3 from Mike Rumph <[email protected]> --- Hello Ivan, I have been studying the mod_remoteip documentation and code to try to make sense of the results that we are seeing. I think that I finally understand the results that you are getting. And it appears to me at this point that your results are as they should be according to the documentation at the following link: - http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html I will try to explain this, but it is not easy. Here is how I see it now: mod_remoteip processes the contents of X-Forwarded-For from right to left in cycles of a while loop after your RemoteIPInternalProxy and RemoteIPTrustedProxy proxies are added to a proxy match list. Cycle 1: The code begins with X-Forwarded-For equal to "1.1.1.2, 1.1.1.1, 87.245.198.54, 87.250.250.203" and the client IP is equal to "172.20.106.70". The client IP is compared against the proxy match list. 172.20.106.70 is listed as an internal proxy. So its view of the X-Forwarded-For list is trusted. So 87.250.250.203 is interpreted as a valid useragent IP address. So 87.250.250.203 becomes the client IP and is removed from the X-Forwarded-For list. Cycle 2: X-Forwarded-For is equal to "1.1.1.2, 1.1.1.1, 87.245.198.54" and the client IP is equal to "87.250.250.203". 87.250.250.203 is listed as a trusted proxy. So its view of the X-Forwarded-For list is trusted. So 87.245.198.54 is interpreted as a valid useragent IP address. So 87.245.198.54 becomes the client IP and is removed from the X-Forwarded-For list. Cycle 3: X-Forwarded-For is equal to "1.1.1.2, 1.1.1.1" and the client IP is equal to "87.245.198.54". 87.245.198.54 is not an internal or trusted proxy. So the cycles stop. Final mod_remoteip result": X-Forwarded-For is equal to "1.1.1.2, 1.1.1.1" and the client IP is equal to "87.245.198.54". And this is the result that you are seeing. I think the key point here is that RemoteIPInternalProxy and RemoteIPTrustedProxy refer to trusted proxies not trusted clients. As a trusted proxy it can be relied upon to have added a trusted client IP to the end of the X-Forwarded-For list before forwarding the request on to the backend server. Now I think that what should happen next is for mod_proxy to take over. If mod_proxy is properly configured and 87.245.198.54 is accepted as an allowed client IP, then mod_proxy should add 87.245.198.54 to the end of X-Forwarded-For. This is what is not happening. It could be because you do not have 87.245.198.54 included in the "Allow from" directive. You could also take a look at the ProxyAddHeaders directive. - http://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxyaddheaders What proxy directives are you using in your configuration? This bug is related to bug 55637. And I will try to update that bug report with an explanation as well. I hope that this analysis is helpful. Take care, Mike Rumph -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
