httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41097] New: - X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server header addition by mod_proxy_http undocumented
Date Sat, 02 Dec 2006 00:21:50 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41097>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41097

           Summary: X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-
                    Server header addition by mod_proxy_http undocumented
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: Other
               URL: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: apache@harkless.org


It's not documented that mod_proxy_http (starting in httpd 2.0.15) adds
X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server HTTP headers.  These
are very useful to know about so that if you utilize a reverse proxy you'll know
how to modify the LogFormat on your destination webserver to log actual client
IPs rather than just the IP address of the proxy.  (And so you'll know that with
recent versions of httpd, you don't need to install the third-party
mod_proxy_add_forward module, as much advice online says to do.)

In the documentation it would be good to note that if traffic has an existing
X-Forwarded-For: header, it will be overwritten by the Apache reverse proxy with
its IP, rather than appending its IP to the value of that header as some other
proxies do.

You might even give the configuration code from
http://groups.google.com/group/alt.apache.configuration/msg/6f0ecadabc20623f as
an example of how to always log the client IP in the first field, regardless of
whether the particular connection went through the reverse proxy.  If you do
that, though, you should probably add a note that malicious parties not going
through the reverse proxy could hide their IP addresses from the logs by adding
their own X-Forwarded-For headers, so for security it's better to log *both* the
 value of %h and %{X-Forwarded-For}i.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message