I run a system that has a Pound reverse proxy in front of a squid accelerator, in turn in front of Apache2 powering a few PHP-based webapps.
The Pound daemon is configured to send X-Forwarded-For headers to Apache so the aforementioned applications can determine the true source of a message (squid is configured to transparently pass on the X-Forwarded-For headers without modification). However, Pound notates IPv4 addresses in XFF headers like ::ffff:1.2.3.4
instead of simply as 1.2.3.4
, and this throws off the applications.
Aside from modifying each application to correctly handle the ::ffff:1.2.3.4
case, is there a way to either stop Pound from using the IPv6 notation or in Apache to preemptively convert the IPv6 notation back to IPv4 notation?
Best Answer
You should be able to use
mod_headers
to rewrite theX-Forwarded-For
header prior to the php applications seeing it: