https://bz.apache.org/bugzilla/show_bug.cgi?id=58089
Bug ID: 58089
Summary: mod_authz_host uses proxy IP even when mod_remoteip is
enabled
Product: Apache httpd-2
Version: 2.4.12
Hardware: PC
OS: FreeBSD
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_host
Assignee: [email protected]
Reporter: [email protected]
Using the following configuration behind haproxy with mod_remoteip enabled:
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
<Location /server-status>
SetHandler server-status
Require host 127.0.0.1 localhost
</Location>
all proxied requests will be allowed through. Removing 'localhost' from the
Require directive closes the hole, but in the same vein other hosts placed in
the directive would not allow legitimate clients through. I'm uncertain if this
is a bug or desired behavior.
If the latter, would it be possible to update the docs to further clarify the
"Security Note" for mod_authz_host and/or create a feature request for adding
the ability to use mod_remoteip and hostname-based authentication (apologies if
such discussion would've been better suited to the mailing list)?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
