httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yoshinori Ehara <yoshinori.eh...@gmail.com>
Subject [users@httpd] mod_remoteip Client IP spoofing
Date Tue, 16 Oct 2012 13:33:32 GMT
Hi All,

I'm using Apache 2.4.3 + mod_remoteip.
Apache server is located behind a proxy/LB server.
I want to log client IP address and prevent spoofing.

Test Case:

1. Client(1.1.1.1) send a request with spoofed X-Forwarded-For header.
  X-Forwarded-For: 2.2.2.2
2. Proxy/Load Balancer(10.0.0.1) append the client IP address to
existing X-Forwarded-For header.
  X-Forwarded-For: 2.2.2.2, 1.1.1.1
3. Apache server receive forwarded request.
  (httpd.conf)
    RemoteIPHeader X-Forwarded-For
    RemoteIPTrustedProxy 10.0.0.0/8

I expected that mod_remoteip would override client IP with 1.1.1.1
because 10.0.0.1 is trusted
and 1.1.1.1 is not trusted. Actually, client IP was overridden with 2.2.2.2.

How can I prevent spoofing of client IP address?
I think this may be a bug.
Following patch works fine for me.

Thanks.


Index: modules/metadata/mod_remoteip.c
===================================================================
--- modules/metadata/mod_remoteip.c	(revision 1398763)
+++ modules/metadata/mod_remoteip.c	(working copy)
@@ -254,7 +254,7 @@
             remoteip_proxymatch_t *match;
             match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
             for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
-                if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
+                if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
                     internal = match[i].internal;
                     break;
                 }


-- 
Yoshinori Ehara
yoshinori.ehara@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message