I'd like people's PHP and CGIs to work without changes which, in some cases, means spoofing the value of REMOTE_ADDR to be that of the original request (X-Forwarded-For). Having played around fruitlessly with SetEnv and mod_rewrite I had a look at the 1.3.33 source and concluded that REMOTE_ADDR is populated in ap_add_common_vars() and that there's no way to subvert the value that it gets.
I've patched 1.3.33 to provide a new boolean directive ProxyFakeRemoteAddr which, when enabled, plucks the value of any X-Forwarded-For header and populates REMOTE_ADDR with it. It also supresses any attempt to set REMOTE_HOST.
This seems to scratch an itch which I'm not alone in having, adds just a few lines and has no effect when its disabled. The one functional problem I can with it is that if you erroneously enable it on a server that isn't behind a proxy it allows REMOTE_ADDR to be spoofed by setting the X-Forwarded-For header.
If the consensus is that it's an ugly bodge I'll happily keep it to myself but, judging by the posts that periodically crop up on usenet, it would solve a problem for quite a few people.
Shall I post the patch?
-- Andy Armstrong
