[Bug 1875299] Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

Christian Ehrhardt  Mon, 15 Jun 2020 05:41:26 -0700

Hi Marcus,
I was following your howto step by step and wanted to thank you already to 
provide that much details.
I was trying to simplify it further to not reach out to extra files, adding the 
apt install steps and everything else.


$ apt install apache2 libapache2-mod-php

define /etc/apache2/sites-enabled/000-default.conf as:
<VirtualHost *:8080>
        DocumentRoot /var/www/html

        <IfModule mod_remoteip.c>
                RemoteIPInternalProxy 127.0.0.1
                RemoteIPHeader X-Forwarded-For
        </IfModule>

        <Directory /var/www/html>
                RewriteEngine On
                RewriteRule .* index.php [L,QSA]
        </Directory>
</VirtualHost>

In File /etc/apache2/ports.conf change
Listen 80
to
Listen 8080

$ sudo a2enmod rewrite
$ a2enmod php7.0
$ systemctl restart apache2

$ apt install nginx

define file /etc/nginx/sites-enabled/default as:
server {
        listen 80 default_server;
        root /var/www/html;
        server_name _;

        location / {
                proxy_pass http://127.0.0.1:8080;
                proxy_set_header Host             $host;
                proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        }
}

$ systemctl restart nginx

define file /var/www/html/index.php as:
<?php
echo $_SERVER['REMOTE_ADDR'] . "\n";
?>

$ curl http://localhost/index.php
127.0.0.1
$ curl http://localhost/seo-friendly-url
127.0.0.1
$ curl http://localhost/seo-friendly-url -H "X-Forwarded-For: 1.1.1.1"
127.0.0.1


It doesn't seem to matter if I do the curl from localhost, or the same curl 
from another system onto this `curl 10.253.194.202/foo -H "X-Forwarded-For: 
1.1.1.1"`. In my cases I never got the original client IP, nor the Faked IP - I 
always got the one of the nginx server.

Do you spot a difference between my approach above and your setup that
would explain?

** Changed in: apache2 (Ubuntu Xenial)
       Status: Triaged => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299

Title:
  Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when
  mod_rewrite rule is triggered

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1875299] Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

Reply via email to