httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yoshinori Ehara <>
Subject [users@httpd] mod_remoteip Client IP spoofing
Date Tue, 16 Oct 2012 13:33:32 GMT
Hi All,

I'm using Apache 2.4.3 + mod_remoteip.
Apache server is located behind a proxy/LB server.
I want to log client IP address and prevent spoofing.

Test Case:

1. Client( send a request with spoofed X-Forwarded-For header.
2. Proxy/Load Balancer( append the client IP address to
existing X-Forwarded-For header.
3. Apache server receive forwarded request.
    RemoteIPHeader X-Forwarded-For

I expected that mod_remoteip would override client IP with
because is trusted
and is not trusted. Actually, client IP was overridden with

How can I prevent spoofing of client IP address?
I think this may be a bug.
Following patch works fine for me.


Index: modules/metadata/mod_remoteip.c
--- modules/metadata/mod_remoteip.c	(revision 1398763)
+++ modules/metadata/mod_remoteip.c	(working copy)
@@ -254,7 +254,7 @@
             remoteip_proxymatch_t *match;
             match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
             for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
-                if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
+                if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
                     internal = match[i].internal;

Yoshinori Ehara

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message