enterprise-support team mailing list archive

[Marcus <1875299@xxxxxxxxxxxxxxxxxx>]

After configuring nginx and apache, the file index.php has to be placed
in the document root directory (/var/www/html). This PHP file outputs
the value of the variable $_SERVER['REMOTE_ADDR'] which should always
carry the client's real IP address and should always contain trustworthy
values when being processed by a webserver.

In order to keep this simple, the following IPv4 addresses will be used:

Server IP: 192.168.1.1
Client IP: 192.168.2.2

Now our client wants to access our site by using the following command:

curl http://192.168.1.1/index.php
Output: 192.168.2.2 (As expected, the real IP address of the requesting client)

Let's assume the client accesses a SEO friendly URL and should be
internally redirected to the file index.php. To test this, the following
curl command can be used:

curl http://192.168.1.1/seo-friendly-url/
Output: 192.168.2.2 (As expected)

So far so good. Let's assume our client provides the header X-Forwarded-
For with an arbitrary IP address:

curl http://192.168.1.1/seo-friendly-url/ -H "X-Forwarded-For: 1.1.1.1"
Output: 1.1.1.1 (Unexpected; should contain the real IP address instead of the Header value)


I hope the supplied configuration files and this short explanation can be of help. I am happy to provide additional information if needed.

** Also affects: apache2 (Debian)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1875299

Title:
  Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when
  mod_rewrite rule is triggered

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions