httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject mod_remoteip DNS address resolution
Date Thu, 04 Aug 2016 08:14:09 GMT

Hi there,

I learned that mod_remoteip does IP address resolution including DNS 
when it processes a token from the configured RemoteIPHeader. In the 
observed case, two different customers using F5 load balancers had a 
numeric IP address in the header which was followed without white space 
or separator character by "%N", "N" a number. That thing was said to be 
a partition tag. Of course one doesn't want such stuff in 
X-Forwarded-For, but mod_remoteip falling back to DNS was a surprise for me.

Although we clearly express in the docs "It is critical to only enable 
this behavior from intermediate hosts (proxies, etc) which are trusted 
by this server, since it is trivial for the remote useragent to 
impersonate another useragent." I would prefer if IP address resolution 
with DNS would be configurable - mostly due to performance reasons.

So I think we need a directive for mod_remoteip to enable/disable DNS 

We also need to decide what to do, if the header value is not a valid 
numeric IP address and DNS is turned off. We could fall back to using 
the connection IP address and proceed with the request or we could throw 
an error like a Bad Request, Forbidden, Internal Server Error or similar.

Something like "RemoteIPLookups (On|Off|NNN)". "On" would be current 
behavior, "Off" would be "No DNS and use connection IP if address is 
invalid", "NNN" would be "No DNS and return status NNN if address is 
invalid". Default "On" or "Off" for 2.4 and "Off" for trunk.

Note that we don't have an "IP address string to numeric IP" conversion 
function at hand. APR has apr_inet_pton(), but unfortunately it 
currently is not made public via the header files. We could probably 
copy it in and make public for future versions.



View raw message