Bypass mod_access when using a reverse proxy and X-Forwared-For

If you intend to use a reverse proxy in front of an apache webserver, the IP seen by apache is the one from the reverse proxy.
This breaks the access rules policies from apache2 (for instance `allow from 88.233.222.106`).

A proposed solution for this problem is the use of a `SetEnvIf` directive.

In pratice, this solution is not secured, because a malicious user can easilly craft an http header to add such a header.

For instance, here is the apache conf for a protected directory:

        <Directory /path/to/protected/>
                SetEnvIf X-Forwarded-For ^234\.22\.11\.6 trusted_from
                allow from env=trusted_from
        </Directory>

And here is a shell output using curl to prove it works.

~ $ curl -I http://myurl/protected/
HTTP/1.1 403 Forbidden
Server: nginx/1.2.1
Date: Tue, 01 Dec 2013 20:39:25 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding

~ $ curl -H 'X-Forwarded-For: 234.22.11.6' -I http://myurl/protected/
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Tue, 01 Dec 2013 20:39:27 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding

You may argue that you still have to know the allowed IP. This is true, but the source request does not come from the TCP packet, but from a (potentially) untrusted header.

rpaf is not an option, because it only works for log files.
But Apache 2.4 includes mod_remoteip which works like a charm. For Apache 2.2 users, a github project has ported this module for apache 2.2

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.