https://issues.apache.org/bugzilla/show_bug.cgi?id=55637
Mike Rumph <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO --- Comment #1 from Mike Rumph <[email protected]> --- Hello Ivan, It appears to me that your results are as they should be according to the documentation at the following link: - http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html I will try to give an explanation similar to one I gave in comment 3 of related bug 55635. The difference from that bug involves the difference between RemoteIPInternalProxy and RemoteIPTrustedProxy. Both of these directives identify a proxy that can be trusted to trust the right-most value in the X-Forwarded-For header as a trusted useragent IP address. The difference is that any intranet or private IP address is not trusted as the useragent IP address for RemoteIPTrustedProxy proxies. But all IP addresses are trusted for RemoteIPInternalProxy proxies. Let's walk though your results. mod_remoteip processes the contents of X-Forwarded-For from right to left in cycles of a while loop after your RemoteIPInternalProxy and RemoteIPTrustedProxy proxies are added to a proxy match list. Cycle 1: The code begins with X-Forwarded-For equal to "1.1.1.2, 1.1.1.1, 127.0.0.1, 87.250.250.203" and the client IP is equal to "172.20.106.70". The client IP is compared against the proxy match list. 172.20.106.70 is listed as an internal proxy. So its view of the X-Forwarded-For list is trusted. So 87.250.250.203 is interpreted as a valid useragent IP address. So 87.250.250.203 becomes the client IP and is removed from the X-Forwarded-For list. Cycle 2: X-Forwarded-For is equal to "1.1.1.2, 1.1.1.1, 127.0.0.1" and the client IP is equal to "87.250.250.203". 87.250.250.203 is listed as a trusted proxy. So its view of the X-Forwarded-For list is trusted. But RemoteIPTrustedProxy proxies do not trust private network addresses. 127.0.0.1 is counted as a private network address. So 127.0.0.1 is not accepted as a valid useragent IP address. This can be seen in your error log. So the cycles stop. Final mod_remoteip result": X-Forwarded-For is equal to "1.1.1.2, 1.1.1.1, 127.0.0.1" and the client IP is equal to "87.250.250.203". And this is the result that you are seeing. If you change "RemoteIPTrustedProxy 87.250.250.203" to "RemoteIPInternalProxy 87.250.250.203", then you should get the results that you were expecting. Please, try this and let us know your results. Take care, Mike Rumph -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
