httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: mod_remoteip
Date Wed, 11 Dec 2013 22:05:46 GMT
On Mon, 09 Dec 2013 19:52:35 +0100
Reindl Harald <h.reindl@thelounge.net> wrote:
> 
> the mod_remoteip config looks like below
> 
> RemoteIPHeader         X-Forwarded-For
> RemoteIPProxiesHeader  X-Forwarded-For

That config would be bad, and disagrees with the documentation.

The RemoteIPProxiesHeader leaves a breadcrumb for which of
the IP addresses were used to derive the apparent origin IP
of the request, the apparent origin IP address of the request
is the %a value (not a header value), and the RemoteIPHeader 
continues to preserve any remaining X-Forwarded-For values
once the apparent origin IP is not trusted to present an IP
address value.

Which value, that list consumed, or that list of remaining values
would be undefined, if one were foolish enough to write these two
distinct values to the same header field.

Mime
View raw message