Comment 3 for bug 1511222

William Shallum (william) wrote :

Steps to reproduce (not exact):

apache config:

LoadModule rewrite_module modules/mod_rewrite.so
LoadModule remoteip_module modules/mod_remoteip.so

Listen 18000
<VirtualHost *:18000>
        RemoteIPHeader X-Forwarded-For
        RemoteIPTrustedProxy 127.0.0.1
        RewriteEngine on
        RewriteRule ^/?(.*) http://test.invalid/%{REMOTE_ADDR} [R=301,L]
</VirtualHost>

Let's assume we are a proxy on 127.0.0.1.

If a connection comes from 1.2.3.4 without an existing header we will set X-Forwarded-For: 1.2.3.4 and Apache should trust us.

curl -vH 'X-Forwarded-For: 1.2.3.4' 'http://127.0.0.1:18000/'
...
< Location: http://test.invalid/1.2.3.4
...

This is OK as the connection comes from 127.0.0.1 and it is trusted to present the IP 1.2.3.4

If a connection comes from 1.2.3.4 with an existing "X-Forwarded-For: 5.6.7.8", we should add the IP 1.2.3.4 at the end, like so:

curl -vH 'X-Forwarded-For: 5.6.7.8, 1.2.3.4' 'http://127.0.0.1:18000/'
...
< Location: http://test.invalid/5.6.7.8
...

This shows that Apache thinks the REMOTE_ADDR should be 5.6.7.8. This is not OK as the IP 5.6.7.8 comes from 1.2.3.4 and 1.2.3.4 is not trusted.

Expected:

After the patch is applied

curl -vH 'X-Forwarded-For: 5.6.7.8, 1.2.3.4' 'http://127.0.0.1:18000/'
...
< Location: http://test.invalid/1.2.3.4
...