httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 58089] New: mod_authz_host uses proxy IP even when mod_remoteip is enabled
Date Wed, 01 Jul 2015 04:06:11 GMT

            Bug ID: 58089
           Summary: mod_authz_host uses proxy IP even when mod_remoteip is
           Product: Apache httpd-2
           Version: 2.4.12
          Hardware: PC
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_host

Using the following configuration behind haproxy with mod_remoteip enabled:

RemoteIPHeader X-Forwarded-For
<Location /server-status>
    SetHandler server-status
    Require host localhost

all proxied requests will be allowed through. Removing 'localhost' from the
Require directive closes the hole, but in the same vein other hosts placed in
the directive would not allow legitimate clients through. I'm uncertain if this
is a bug or desired behavior. 

If the latter, would it be possible to update the docs to further clarify the
"Security Note" for mod_authz_host and/or create a feature request for adding
the ability to use mod_remoteip and hostname-based authentication (apologies if
such discussion would've been better suited to the mailing list)?

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message