Steps to reproduce (not exact): apache config:
LoadModule rewrite_module modules/mod_rewrite.so LoadModule remoteip_module modules/mod_remoteip.so Listen 18000 <VirtualHost *:18000> RemoteIPHeader X-Forwarded-For RemoteIPTrustedProxy 127.0.0.1 RewriteEngine on RewriteRule ^/?(.*) http://test.invalid/%{REMOTE_ADDR} [R=301,L] </VirtualHost> Let's assume we are a proxy on 127.0.0.1. If a connection comes from 1.2.3.4 without an existing header we will set X-Forwarded-For: 1.2.3.4 and Apache should trust us. curl -vH 'X-Forwarded-For: 1.2.3.4' 'http://127.0.0.1:18000/' ... < Location: http://test.invalid/1.2.3.4 ... This is OK as the connection comes from 127.0.0.1 and it is trusted to present the IP 1.2.3.4 If a connection comes from 1.2.3.4 with an existing "X-Forwarded-For: 5.6.7.8", we should add the IP 1.2.3.4 at the end, like so: curl -vH 'X-Forwarded-For: 5.6.7.8, 1.2.3.4' 'http://127.0.0.1:18000/' ... < Location: http://test.invalid/5.6.7.8 ... This shows that Apache thinks the REMOTE_ADDR should be 5.6.7.8. This is not OK as the IP 5.6.7.8 comes from 1.2.3.4 and 1.2.3.4 is not trusted. Expected: After the patch is applied curl -vH 'X-Forwarded-For: 5.6.7.8, 1.2.3.4' 'http://127.0.0.1:18000/' ... < Location: http://test.invalid/1.2.3.4 ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1511222 Title: Incorrect trusted proxy match test in mod_remoteip To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1511222/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs