On Mon, 09 Dec 2013 19:52:35 +0100 Reindl Harald <[email protected]> wrote: > > the mod_remoteip config looks like below > > RemoteIPHeader X-Forwarded-For > RemoteIPProxiesHeader X-Forwarded-For
That config would be bad, and disagrees with the documentation. The RemoteIPProxiesHeader leaves a breadcrumb for which of the IP addresses were used to derive the apparent origin IP of the request, the apparent origin IP address of the request is the %a value (not a header value), and the RemoteIPHeader continues to preserve any remaining X-Forwarded-For values once the apparent origin IP is not trusted to present an IP address value. Which value, that list consumed, or that list of remaining values would be undefined, if one were foolish enough to write these two distinct values to the same header field.
