tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 50453] Multiple X-Forwarded-For headers not handled by RemoteIP valve
Date Fri, 10 Dec 2010 15:19:05 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=50453

--- Comment #2 from Rainer Jung <rainer.jung@kippdata.de> 2010-12-10 10:19:00 EST ---
I think there is no given standard concerning whether the first or the last
header is the "right" one (coming from the closest proxy). The same for a
comma-separated multi-valued header.

mod_remoteip for the Apache Web Server claims:

When multiple, comma delimited remote IP addresses are listed in the header
value, they are processed in Right-to-Left order. Processing halts when a given
remote IP address is not trusted to present the preceeding IP address. The
header field is updated to this remaining list of unconfirmed IP addresses, or
if all IP addresses were trusted, this header is removed from the request
altogether.

In replacing the remote_ip, the module stores the list of intermediate hosts in
a remoteip-proxy-ip-list note, which mod_log_config can record using the
%{remoteip-proxy-ip-list}n format token. If the administrator needs to store
this as an additional header, this same value can also be recording as a header
using the directive RemoteIPProxiesHeader.


So it might be a good idea to handle the IPs from right to left resp. later
headers before earlier ones, as long as the previous IP is trusted.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message