Bug 1283354 - mod_authz_host uses proxy ip when mod_remoteip is used
mod_authz_host uses proxy ip when mod_remoteip is used
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd (Show other bugs)
7.1
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Luboš Uhliarik
BaseOS QE - Apps
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-18 14:29 EST by Rik Theys
Modified: 2017-11-01 19:58 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1283356 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rik Theys 2015-11-18 14:29:56 EST
Description of problem:

When apache is sitting behind a reverse proxy and mod_remoteip is configured to expose/log the real client IP, the correct client IP is logged (using %a in the LogFormat), but the proxy IP is used by 'Require host .mydomain.net'.

If you limit a directory/file/site using:

Require host .mydomain.net

and expect the site to only be accessible by clients from .mydomain.net, you will notice that your site is accessible from anywhere if your reverse proxy is in .mydomain.net. I consider this a severe security issue.

Furthermore, if you look at the REMOTE_HOST header (through cgi script, or PHP-FPM), you will see that REMOTE_ADDR shows the correct client IP, but REMOTE_HOST has the name of the reverse proxy.


Version-Release number of selected component (if applicable):
httpd-2.4.6-31.el7.centos.1.x86_64

Also tested Fedora 23's httpd-2.4.17-3.fc23.x86_64 and the issue seems the same there.

How reproducible:
Always with mod_remoteip and mod_authz_host 

Steps to Reproduce:
1. Install an httpd instance behind a proxy with mod_remoteip configured to use the X-Forwarded-For header for connections coming from your proxy
2. Limit a file/directory using: Require host mydomain.net
3. Try accessing the file/directory through the reverse proxy from an address that does NOT resolve to mydomain.net

Actual results:
Apache serves the page

Expected results:
Apache returns an unauthorized

Additional info:
Comment 3 Joe Orton 2015-12-18 06:41:34 EST
Thanks for the report.  If this issue is critical or in any way time sensitive,
please raise a ticket through your regular Red Hat support channels to make
certain it receives the proper attention and prioritization to assure a timely
resolution.

Note You need to log in before you can comment on or make changes to this bug.