After configuring nginx and apache, the file index.php has to be placed in the document root directory (/var/www/html). This PHP file outputs the value of the variable $_SERVER['REMOTE_ADDR'] which should always carry the client's real IP address and should always contain trustworthy values when being processed by a webserver.
In order to keep this simple, the following IPv4 addresses will be used: Server IP: 192.168.1.1 Client IP: 192.168.2.2 Now our client wants to access our site by using the following command: curl http://192.168.1.1/index.php Output: 192.168.2.2 (As expected, the real IP address of the requesting client) Let's assume the client accesses a SEO friendly URL and should be internally redirected to the file index.php. To test this, the following curl command can be used: curl http://192.168.1.1/seo-friendly-url/ Output: 192.168.2.2 (As expected) So far so good. Let's assume our client provides the header X-Forwarded- For with an arbitrary IP address: curl http://192.168.1.1/seo-friendly-url/ -H "X-Forwarded-For: 1.1.1.1" Output: 1.1.1.1 (Unexpected; should contain the real IP address instead of the Header value) I hope the supplied configuration files and this short explanation can be of help. I am happy to provide additional information if needed. ** Also affects: apache2 (Debian) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/1875299 Title: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : [email protected] Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
