Steps to reproduce (not exact):
apache config:
LoadModule rewrite_module modules/mod_rewrite.so LoadModule remoteip_module modules/mod_remoteip.so
Listen 18000 <VirtualHost *:18000> RemoteIPHeader X-Forwarded-For RemoteIPTrustedProxy 127.0.0.1 RewriteEngine on RewriteRule ^/?(.*) http://test.invalid/%{REMOTE_ADDR} [R=301,L] </VirtualHost>
Let's assume we are a proxy on 127.0.0.1.
If a connection comes from 1.2.3.4 without an existing header we will set X-Forwarded-For: 1.2.3.4 and Apache should trust us.
curl -vH 'X-Forwarded-For: 1.2.3.4' 'http://127.0.0.1:18000/' ... < Location: http://test.invalid/1.2.3.4 ...
This is OK as the connection comes from 127.0.0.1 and it is trusted to present the IP 1.2.3.4
If a connection comes from 1.2.3.4 with an existing "X-Forwarded-For: 5.6.7.8", we should add the IP 1.2.3.4 at the end, like so:
curl -vH 'X-Forwarded-For: 5.6.7.8, 1.2.3.4' 'http://127.0.0.1:18000/' ... < Location: http://test.invalid/5.6.7.8 ...
This shows that Apache thinks the REMOTE_ADDR should be 5.6.7.8. This is not OK as the IP 5.6.7.8 comes from 1.2.3.4 and 1.2.3.4 is not trusted.
Expected:
After the patch is applied
curl -vH 'X-Forwarded-For: 5.6.7.8, 1.2.3.4' 'http://127.0.0.1:18000/' ... < Location: http://test.invalid/1.2.3.4 ...
Steps to reproduce (not exact):
apache config:
LoadModule rewrite_module modules/ mod_rewrite. so mod_remoteip. so
LoadModule remoteip_module modules/
Listen 18000
RemoteIPHeader X-Forwarded-For
RemoteIPTruste dProxy 127.0.0.1
RewriteEngine on test.invalid/ %{REMOTE_ADDR} [R=301,L]
<VirtualHost *:18000>
RewriteRule ^/?(.*) http://
</VirtualHost>
Let's assume we are a proxy on 127.0.0.1.
If a connection comes from 1.2.3.4 without an existing header we will set X-Forwarded-For: 1.2.3.4 and Apache should trust us.
curl -vH 'X-Forwarded-For: 1.2.3.4' 'http:// 127.0.0. 1:18000/ ' test.invalid/ 1.2.3.4
...
< Location: http://
...
This is OK as the connection comes from 127.0.0.1 and it is trusted to present the IP 1.2.3.4
If a connection comes from 1.2.3.4 with an existing "X-Forwarded-For: 5.6.7.8", we should add the IP 1.2.3.4 at the end, like so:
curl -vH 'X-Forwarded-For: 5.6.7.8, 1.2.3.4' 'http:// 127.0.0. 1:18000/ ' test.invalid/ 5.6.7.8
...
< Location: http://
...
This shows that Apache thinks the REMOTE_ADDR should be 5.6.7.8. This is not OK as the IP 5.6.7.8 comes from 1.2.3.4 and 1.2.3.4 is not trusted.
Expected:
After the patch is applied
curl -vH 'X-Forwarded-For: 5.6.7.8, 1.2.3.4' 'http:// 127.0.0. 1:18000/ ' test.invalid/ 1.2.3.4
...
< Location: http://
...