httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 60251] New: mod_remoteip discards additional address when mod_rewrite rule is triggered
Date Thu, 13 Oct 2016 19:20:02 GMT

            Bug ID: 60251
           Summary: mod_remoteip discards additional address when
                    mod_rewrite rule is triggered
           Product: Apache httpd-2
           Version: 2.4.23
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_remoteip

I've been testing this on a Debian Jessie build (apache 2.4.10), as well as a
Debian Stretch build (apache 2.4.23), with the same results.

In my configuration, mod_remoteip has a single internal trusted proxy, and
X-Forwarded-For is evaluated for additional IPs. Under normal circumstances, it
correctly "stops" at the first untrusted IP, which becomes REMOTE_ADDR.

However, when a mod_rewrite rule is triggered, it seems to discard that IP
address and continue moving up the X-Forwarded-For header, making the second
untrusted IP become the REMOTE_ADDR.

I'm including what I believe is the relevant configuration, but let me know if
further details are needed:

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy ::1
DocumentRoot /app/httpdocs

<Directory /app/httpdocs>
    Require all granted
    AllowOverride None

    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-s
    RewriteRule ^.*$ index.php

In the following tests, I'll connecting from localhost, which is ::1 (the
defined RemoteIPInternalProxy). My index.php file is just echoing out the
relevant $_SERVER variables.

In the first case, I hit /index.php directly, which does NOT trigger a
RewriteRule. The REMOTE_ADDR becomes the right-most untrusted IP address, This is, I believe, the correct behavior:

# curl -H "X-Forwarded-For:,,"

Now, if I hit an invalid URL, the RewriteRule is triggered and rewritten to
index.php. It appears that is then discarded:

# curl -H "X-Forwarded-For:,,"


To show additional behavior, here's a more complicated example that shows that
additional InternalProxies AND TrustedProxies are evaluated after the untrusted
IP is discarded:

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy ::1
RemoteIPProxiesHeader X-Trusted-Proxies

In the first case, the trusted proxy is added to the X-Trusted-Proxies header,
and REMOTE_ADDR becomes the first untrusted IP ( This is the correct

# curl -H "X-Forwarded-For:,,, ::1,," http://localhost/index.php
X-Forwarded-For:,,, ::1

But again, by triggering a RewriteRule, the address is discarded,
Internal & Trusted proxies seem to be evaluated again (X-Trusted-Proxies is now instead of, and the REMOTE_ADDR becomes the second
untrusted IP,

# curl -H "X-Forwarded-For:,,, ::1,," http://localhost/invalidurl

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message