I ‘ve been experimenting with Apache mod_proxy and mod_remoteip in order to confirm my sympathy of the handling of X-Forwarded-For headers, peculiarly around how internal IP Addresses ( e.g. 10.x.x.x or 192.168.x.x ranges ) are being handled .
It seems like mod_proxy does n’t always add the inner IP addresses to the X-Forwarded-For header, but I ‘ve been unable to find any documentation explaining the expect behavior for this .
ampere far as I can tell, when the request initiates from an inner IP address, then mod_proxy will add internal IP addresses to the X-Forwarded-For header, but when the initial request comes from a populace IP, mod_proxy does not seem to add any internal IP addresses to the X-Forwarded-For .
The Question

My motion is : What are the rules that govern whether or not mod_proxy will append the calling IP address to the X-Forwarded-For header .
The documentation on mod_proxy says :

When acting in a reverse-proxy mode ( using the ProxyPass directive, for exemplar ), mod_proxy_http adds several request headers in order to pass information to the origin server. These headers are :
X-Forwarded-For – The IP cover of the client .
X-Forwarded-Host – The original host requested by the client in the Host HTTP request header .
X-Forwarded-Server – The hostname of the proxy server .
Be careful when using these headers on the origin server, since they will contain more than one ( comma-separated ) value if the original request already contained one of these headers. For case, you can use % { X-Forwarded-For } one in the log format string of the origin waiter to log the original clients IP address, but you may get more than one cover if the request passes through several proxies .

I read this as saying that the customer IP address will always be appended to the X-Forwarded-For header, but that ‘s not the behavior I ‘m observing .
The respite of this wonder is the tests I ‘ve conducted and the demeanor I ‘ve observed .
The Setup
I ‘ve setup two servers both running Apache with mod_proxy installed. I ‘ll refer to these as One and Two .

  • One has the (internal) IP address
  • Two has the (internal) IP address

One has the be ProxyPass directive then that requests to sub-paths of /proxyToTwo are sent to the equivalent sub-path under /proxyToOne on Two


Two has the following ProxyPass directing so that requests to sub-paths of /proxyToOne are sent back to One but without the /proxyToOne prefix


The effect of this is that when I issue requests to http://One/proxyToTwo/foo it ‘s proxied as follows

  1. One receives the request, issues the following request to Two
  2. Two receives the request, issues the following request back to One
  3. One receives a request for /foo and actually serves the resource

then every request is bounced from one to two and back to one before being responded two .
Calling with an Internal IP
Using the above apparatus, I call One from Two using it ‘s inner IP address :


The X-Forwarded-For and X-Forwarded-Host headers received when One finally gets the request for the /foo resource is what I expect below :


This is what I expect, that the request was proxied first through One then Two, and the request IP addresses are first the initial request from Two ( lock ) then the request from One ( mod_proxy ) and the concluding request ( not in the header because it ‘s the customer IP of the connection being from Two ( mod_proxy )
Calling with external IP
The unexpected behavior is that mod_proxy seems to behave differently when called from populace IP. So alternatively of calling One from Two, I call One from my local machine using the public address


The X-Forwarded-Host is still what I expect :


That is, the request was first proxied through One ( using it ‘s external savoir-faire ) then through Two.

But the X-Forwarded-For header is showing only my ( external ) IP cover :


This suggests to me that the initial execution of mod_proxy is adding the X-Forwarded-For header with the customer IP address. But then the subsequent proxying by Two does n’t append the address of One .
I think this behavior is credibly more utilitarian than blindly appending the home IP addresses to the header, but I ca n’t find it documented anywhere then would like to ensure I amply understand it .

reservoir : https://themedipia.com
Category : Website hosting

Leave a Reply

Your email address will not be published.