httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 58089] New: mod_authz_host uses proxy IP even when mod_remoteip is enabled
Date Wed, 01 Jul 2015 04:06:11 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=58089

            Bug ID: 58089
           Summary: mod_authz_host uses proxy IP even when mod_remoteip is
                    enabled
           Product: Apache httpd-2
           Version: 2.4.12
          Hardware: PC
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_host
          Assignee: bugs@httpd.apache.org
          Reporter: payam_hekmat@kace.com

Using the following configuration behind haproxy with mod_remoteip enabled:

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
<Location /server-status>
    SetHandler server-status
    Require host 127.0.0.1 localhost
</Location>

all proxied requests will be allowed through. Removing 'localhost' from the
Require directive closes the hole, but in the same vein other hosts placed in
the directive would not allow legitimate clients through. I'm uncertain if this
is a bug or desired behavior. 

If the latter, would it be possible to update the docs to further clarify the
"Security Note" for mod_authz_host and/or create a feature request for adding
the ability to use mod_remoteip and hostname-based authentication (apologies if
such discussion would've been better suited to the mailing list)?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message