Red Hat Bugzilla – Bug 1283354
mod_authz_host uses proxy ip when mod_remoteip is used
Last modified: 2018-01-29 11:55:48 EST
Description of problem:
When apache is sitting behind a reverse proxy and mod_remoteip is configured to expose/log the real client IP, the correct client IP is logged (using %a in the LogFormat), but the proxy IP is used by 'Require host .mydomain.net'.
If you limit a directory/file/site using:
Require host .mydomain.net
and expect the site to only be accessible by clients from .mydomain.net, you will notice that your site is accessible from anywhere if your reverse proxy is in .mydomain.net. I consider this a severe security issue.
Furthermore, if you look at the REMOTE_HOST header (through cgi script, or PHP-FPM), you will see that REMOTE_ADDR shows the correct client IP, but REMOTE_HOST has the name of the reverse proxy.
Version-Release number of selected component (if applicable):
Also tested Fedora 23's httpd-2.4.17-3.fc23.x86_64 and the issue seems the same there.
Always with mod_remoteip and mod_authz_host
Steps to Reproduce:
1. Install an httpd instance behind a proxy with mod_remoteip configured to use the X-Forwarded-For header for connections coming from your proxy
2. Limit a file/directory using: Require host mydomain.net
3. Try accessing the file/directory through the reverse proxy from an address that does NOT resolve to mydomain.net
Apache serves the page
Apache returns an unauthorized
Thanks for the report. If this issue is critical or in any way time sensitive,
please raise a ticket through your regular Red Hat support channels to make
certain it receives the proper attention and prioritization to assure a timely