I've got mod_rpaf
installed to get the user's IP address from the X-Forwarded-For
header in PHP, Apache logs, etc.
Unfortunately, it looks like I have to explicitly set which IPs that header will be respected from via the RPAFproxy_ips
setting.
Given that ELBs don't have a static IP, how can I tell mod_rpaf
to accept the header from any IP, or even any 10.* IP?
Best Answer
You can try to use
mod_extract_forwarded
instead ofmod_rpaf
— it supportsMEFaccept all
(and if you use RHEL/CentOS/other-clone, the package is already in EPEL). One downside ofmod_extract_forwarded
is that theX-Forwarded-For
andForwarded-For
header names are hardcoded and not configurable like inmod_rpaf
.There is no support for IP ranges even in
mod_extract_forwarded
, but you may configure a firewall to allow direct access to Apache only from some IP ranges, or check theMEF_RPROXY_ADDR
environment variable inmod_rewrite
rules.After some more thinking about this I found a problem with this
mod_extract_forwarded
config — whilemod_rpaf
does not support chains of multiple proxies and takes just the last address from theX-Forwarded-For
header,mod_extract_forwarded
attempts to support this and uses the last address which does not belong to the trusted proxy list (so that if the request has passed through multiple trusted proxies, the actual client address will be used instead of the second-to-last proxy address). Unfortunately, usingMEFaccept all
means thatmod_extract_forwarded
will trust all proxies, therefore if ELB proxies just append their data to theX-Forwarded-For
header, and not replace it completely, clients could pass any spoofed IP by sending requests with their ownX-Forwarded-For
headers.However, I have found yet another module to parse
X-Forwarded-For
headers. Recent (unstable) Apache versions have the mod_remoteip module, which apparently supports subnet masks for proxy addresses. There is a backport to Apache 2.2 and a spec file for Fedora; unfortunately, the request to include package in Fedora is stalled.