tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50453] Multiple X-Forwarded-For headers not handled by RemoteIP valve
Date Fri, 10 Dec 2010 15:19:05 GMT

--- Comment #2 from Rainer Jung <> 2010-12-10 10:19:00 EST ---
I think there is no given standard concerning whether the first or the last
header is the "right" one (coming from the closest proxy). The same for a
comma-separated multi-valued header.

mod_remoteip for the Apache Web Server claims:

When multiple, comma delimited remote IP addresses are listed in the header
value, they are processed in Right-to-Left order. Processing halts when a given
remote IP address is not trusted to present the preceeding IP address. The
header field is updated to this remaining list of unconfirmed IP addresses, or
if all IP addresses were trusted, this header is removed from the request

In replacing the remote_ip, the module stores the list of intermediate hosts in
a remoteip-proxy-ip-list note, which mod_log_config can record using the
%{remoteip-proxy-ip-list}n format token. If the administrator needs to store
this as an additional header, this same value can also be recording as a header
using the directive RemoteIPProxiesHeader.

So it might be a good idea to handle the IPs from right to left resp. later
headers before earlier ones, as long as the previous IP is trusted.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message