Hello Robie. I originally reported this issue to Andrey. I will attempt to provide some additional information for reproducing this bug.
As already stated by Andrey, this issue affects apache versions prior to 2.4.24 and therefore distributions like ubuntu 16.04 and debian 8 seem to be vulnerable. In order to reproduce this issue, a simple setup with apache2 as backend server and nginx as reverse proxy is sufficcient. I will provide the example configuration files. The apache2 modules remoteip, rewrite and php have to be enabled by hand. ** Attachment added: "/etc/apache2/sites-enabled/apache-default.conf" https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+attachment/5383082/+files/apache-default.conf -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1875299 Title: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
